Loyalty programs: data, ACL and the compliance traps

Loyalty programs in Australia are not governed by a single "loyalty program Act". Instead they sit at the intersection of the Australian Consumer Law (ACL) — Schedule 2 of the *Competition and Consumer Act 2010* — and the Privacy Act 1988, with the ACCC and the OAIC as the two principal regulators. In practice this means an operator must run a program that is not misleading, whose standard-form terms are not "unfair", that does not strip consumers of their statutory consumer guarantees, and that collects and uses member data lawfully and transparently. Get any one of those wrong and the program becomes a compliance liability rather than a marketing asset.

This explainer sets out the substance, the thresholds and timing that matter, and the traps operators most often fall into. For the underlying obligation pages, see loyalty program ACL compliance and consumer guarantees.

What rules govern loyalty programs in Australia

The short answer: the ACL controls how you advertise, describe and contract the program; unfair contract terms (UCT) rules control what you can put in your standard-form terms and conditions; consumer guarantees control the goods and services members actually redeem; and privacy law controls the data the program collects. None of these can be contracted out of. The ACCC's 2019 Customer Loyalty Schemes review remains the regulator's clearest statement of expectations, and several of its concerns have since hardened into stronger law (notably the UCT penalty regime).

Who this applies to

The rules apply broadly to any business that operates a points, rewards, cashback, tiered-membership or "frequent buyer" scheme offered to consumers, including:

• Retailers, supermarkets and quick-service food chains.
• Airlines, hotels and travel operators (frequent-flyer and guest schemes).
• Banks and card issuers offering rewards points.
• Subscription and digital platforms with rewards tiers.
• Coalition programs that pool points across multiple partners.

There is no minimum value or member threshold. A free program is still a "contract" for ACL purposes, and the UCT regime applies to standard-form consumer contracts irrespective of value. Coalition and partner programs raise extra complexity because data and obligations flow between entities.

The Australian Consumer Law: misleading conduct and consumer guarantees

Two ACL pillars matter most.

Misleading or deceptive conduct. Under the ACL (Schedule 2 of the Competition and Consumer Act 2010), it is unlawful to mislead members about how the program works — earn rates, point values, expiry, the real cost of "free" rewards, or the conditions on redemption. Headline claims ("earn points on every purchase") must hold up against the fine print. Silence or burying material conditions can itself be misleading.

Consumer guarantees. When a member redeems points for goods or services, the consumer guarantees still apply. A reward flight, hotel night or product must be of acceptable quality and fit for purpose, and the guarantees cannot be excluded, restricted or modified by the program's terms. A clause saying "rewards are provided as-is with no warranties" is ineffective to the extent it purports to override the ACL. This is a frequent drafting error in older loyalty terms.

Unfair contract terms: the biggest exposure

This is where most operators carry real, quantifiable risk. Loyalty terms are almost always standard-form consumer contracts, so the UCT regime applies. Since the regime was strengthened on 9 November 2023, using or relying on an unfair term in a standard-form consumer contract is not merely voidable — it can attract substantial civil penalties, with each unfair term treated as a separate contravention. The penalties are significant (verify the current maximum figures with the ACCC before relying on a specific number).

A term is unfair, broadly, if it would cause a significant imbalance in the parties' rights, is not reasonably necessary to protect the operator's legitimate interests, and would cause detriment if relied on. The ACCC specifically flagged the following loyalty clauses as likely problem areas:

• Broad rights to unilaterally vary earn rates, point values or redemption thresholds.
• Rights to cancel or expire points without cause or without reasonable notice.
• Rights to terminate membership or forfeit accrued points at the operator's sole discretion.
• Terms allowing retrospective changes that strip away benefits already earned.

Reasonably necessary, narrowly drafted variation rights coupled with proper notice are defensible; open-ended "we can change anything at any time" clauses are not.

Data, privacy and the linking of payment cards

Most loyalty programs are, in substance, data-collection engines. That brings the Privacy Act 1988 and the Australian Privacy Principles into play, overseen by the OAIC. Key obligations:

• Collect only personal information reasonably necessary for the program, and disclose collection clearly.
• Make privacy policies accessible and readable — the ACCC criticised opaque, hard-to-find policies.
• Obtain appropriate consent for secondary uses such as selling data insights or sharing data with third parties and coalition partners.
• Honour reasonable access and correction requests.

The ACCC made a pointed recommendation that the practice of linking a member's payment card to their loyalty profile so purchases are tracked even when the loyalty card is not scanned should not occur without clear, informed member consent. Treat covert or bundled tracking consents as high-risk.

Privacy reform is also moving. Some changes are already enacted — for example, a statutory tort for serious invasions of privacy and new transparency requirements for automated decision-making. Other proposals, including the proposed removal of the small-business exemption, have been flagged but are not yet legislated with a settled commencement date; do not assume the exemption has been removed. Track developments via the privacy topic hub and confirm current status with the OAIC. Many larger loyalty operators already exceed the small-business threshold and are covered regardless.

Timing, notice and changing the rules

The recurring flashpoint is changing the program after members have joined. Compliance principles:

• Give reasonable advance notice of changes to earn rates, point values or expiry.
• Avoid retrospective changes that devalue points already earned.
• Make sure any variation right in the terms is itself narrow enough to survive UCT scrutiny.
• Communicate changes prominently — not buried in updated T&Cs that members never see.

There is no single statutory "notice period" for loyalty changes; reasonableness is judged in context, so build a clear, documented notice process rather than relying on a fixed number of days.

Compliance checklist and common pitfalls

Use the following as a working review list:

Common pitfalls:

• Treating a "free" program as outside contract and consumer law — it is not.
• Relying on broad unilateral-variation clauses post-November 2023.
• Excluding consumer guarantees on redeemed goods or services.
• Tracking purchases via linked payment cards without clear consent.
• Assuming proposed privacy reforms are settled law before they commence.

A loyalty program that is transparent, fairly drafted and privacy-respecting is also more durable commercially — the same features that reduce regulatory risk build member trust.