Digital Loyalty Card GDPR Guide for UK Small Businesses
A plain-English guide to UK GDPR compliance for loyalty programmes. What data you collect, how to handle consent, data retention rules, and how a well-built platform handles most of this automatically.
Does a Digital Loyalty Programme Require GDPR Compliance?
Yes. Any digital loyalty programme that collects personal data about UK customers - names, email addresses, phone numbers, purchase history, location data - is subject to UK GDPR. This applies regardless of the size of your business. A sole trader running a six-stamp coffee card is subject to the same data protection principles as a national chain.
The good news is that UK GDPR compliance for a loyalty programme is not particularly complex when you understand the key requirements. Most of the obligations are met by choosing a platform that is built with data protection in mind and configuring your enrolment process correctly from the start.
This guide covers the essentials: what data a loyalty programme collects, which lawful basis applies, how to handle consent correctly, data retention rules, and what to do when a customer asks to see or delete their data. It is written for UK small business owners, not data protection lawyers.
What Data Does a Digital Loyalty Programme Collect?
A typical digital loyalty programme collects the following categories of personal data at enrolment: name, email address or phone number, and optionally date of birth (for birthday rewards). This is the data the customer provides directly.
Beyond enrolment, the programme generates behavioural data: visit dates and times, stamp history, reward redemptions, push notification responses, and in some cases approximate location (if geo-triggered stamps are used). This data is linked to the customer's profile and is the source of the programme's value - it is what enables targeted push notifications and reactivation campaigns.
All of this data is personal data under UK GDPR because it relates to an identifiable individual. You are the data controller - you decide how it is used. Your loyalty platform provider is the data processor - they process it on your behalf and must do so according to your instructions and their own privacy and security obligations.
Enrolment data: name, email or phone number, optional date of birth
Derived data: visit frequency, last seen date, loyalty tier, lapse status
All data is personal data under UK GDPR - you are the data controller
Which Lawful Basis Applies to a Loyalty Programme?
Under UK GDPR, you must have a lawful basis for processing personal data. For a loyalty programme, the two most applicable bases are consent and contract.
Contract is the stronger basis for the core loyalty mechanics. When a customer joins your loyalty programme, they are entering a contract with you - they agree to share their data in exchange for stamps and rewards. Processing their name, email and visit history to operate the programme falls under this basis. You do not need separate consent for the data processing that is necessary to deliver the programme they signed up for.
Consent is required for direct marketing communications - push notifications, SMS messages, marketing emails - that go beyond what is necessary to operate the programme. When a customer joins your programme, they should be given a clear opportunity to opt in to marketing communications. This opt-in should be separate from the programme enrolment itself; you cannot bundle consent into the terms of joining.
Legitimate interests can apply to some processing activities - for example, analysing aggregate visit data for business planning - but should be assessed carefully. For most small business loyalty programmes, contract and consent cover the main processing activities without needing a legitimate interests assessment.
Consent and Enrolment - Getting It Right
The enrolment flow is the most important point to get right from a GDPR perspective. When a customer scans your loyalty QR code and adds the pass to their wallet, they should be shown: what data you collect, how it will be used, how long it will be kept, and a clear option to opt in (not pre-ticked) to marketing communications.
The privacy notice does not need to be long. A two-paragraph plain-English statement on the enrolment page covers the requirements. What it must include: the name of the data controller (your business name), contact details, the categories of data collected, the purposes of processing, the lawful basis for each purpose, how long data is kept, and the customer's rights (access, deletion, correction, objection).
For birthday rewards, the date of birth field must be clearly marked as optional and the purpose (automated birthday reward) must be stated. You cannot require a date of birth for programme enrolment - it must be a voluntary enhancement.
Marketing opt-in should be a clearly labelled checkbox, unticked by default, with a plain statement: 'I would like to receive push notifications and occasional promotional messages from [your business name].' Customers who do not tick this box can still join the programme and earn stamps - they just will not receive marketing pushes.
Privacy notice required at enrolment - plain English, not a lengthy document
Marketing opt-in must be separate, clearly labelled and unticked by default
Date of birth must be optional - cannot be required for programme enrolment
Keep a record of when and how each customer gave consent
Data Retention - How Long Can You Keep Customer Data?
UK GDPR requires you to keep personal data only for as long as necessary for the purpose it was collected. For a loyalty programme, this means you need a clear retention policy.
A reasonable approach for most small businesses: retain active customer data (any customer who has had a stamp or redemption in the past 24 months) indefinitely while the programme is running. For customers who have been inactive for more than 24 months, delete or anonymise their records unless there is a specific reason to retain them.
When a customer leaves the programme (by requesting deletion), their personal data should be deleted within 30 days. Anonymised aggregates (total stamps issued on a particular day, redemption rate percentages) can be retained without time limit as they are no longer personal data.
Your retention policy should be documented - even a short paragraph in your privacy notice - and your loyalty platform should give you the tools to delete customer records when required.
Subject Access Requests and Deletion Requests
Under UK GDPR, customers have the right to request a copy of all personal data you hold about them (a Subject Access Request, or SAR) and the right to request deletion of their data (the right to erasure, sometimes called the right to be forgotten). You must respond to a SAR within one month.
For a loyalty programme, a SAR response would typically include: the customer's name, contact details, date of birth (if provided), all stamping and redemption history, and any marketing preferences recorded. A good loyalty platform will let you export this data in a readable format without needing to contact your platform provider.
A deletion request means removing the customer's personal data from your records. Their stamp history, contact details and profile should be deleted. If they rejoin later, they start from zero - their previous history cannot be restored.
Neither SARs nor deletion requests are common in practice for small business loyalty programmes. But having a simple process in place - ideally a dedicated email address for data requests - demonstrates good faith and protects you if a complaint is made to the ICO.
How Ruloyal Handles GDPR Compliance
Ruloyal is built with UK GDPR compliance as a design principle, not an afterthought. Customer data is stored on servers within the UK and EU. All data is encrypted at rest and in transit. The platform provides a Data Processing Agreement (DPA) to all business customers, which documents the processor-controller relationship required under UK GDPR.
The enrolment flow includes a privacy notice and a separate marketing opt-in that meets the UK GDPR consent requirements described above. Customer records can be viewed, updated, exported and deleted from the dashboard at any time - giving you the tools to respond to SARs and deletion requests without manual database access.
Ruloyal does not sell or share customer data with third parties. The data you collect belongs to your business - we process it on your behalf to operate the loyalty programme and, if you use integrations, to sync it with the tools you have connected.
Data stored on UK and EU servers - not transferred to third countries without appropriate safeguards
Full encryption at rest and in transit
Data Processing Agreement provided to all business customers
Customer records exportable and deletable from the dashboard
Customer data is not sold or shared with third parties
Digital Loyalty Card GDPR - Frequently Asked Questions
Does a small business loyalty programme need to comply with GDPR?
Yes. UK GDPR applies to any organisation that processes personal data about UK residents, regardless of business size. A sole trader running a digital loyalty card for their café is subject to the same data protection principles as a large retailer. The key requirements are having a lawful basis for processing, providing a privacy notice at enrolment, handling marketing consent correctly, and being able to respond to subject access and deletion requests.
Do I need explicit consent for every stamp I issue?
No. Stamps are issued as part of the contract of the loyalty programme - the customer joined knowing they would earn stamps on qualifying purchases. You do not need separate consent for each stamp transaction. Consent is specifically required for direct marketing communications (push notifications, marketing emails, SMS) that go beyond operating the programme itself.
Can I use customer loyalty data for targeted advertising?
You can use anonymised or aggregated loyalty data (e.g., uploading a customer list as a Facebook Custom Audience) if your privacy notice covers this use and customers have consented to marketing communications. You should not use individual customer data for advertising purposes beyond what is stated in your privacy notice at enrolment.
What happens to customer data if I cancel my loyalty platform subscription?
Under UK GDPR, you remain the data controller even after cancelling your subscription. You should export your customer data before cancellation and either retain it in accordance with your data retention policy or delete it. A reputable platform will provide a data export facility and confirm data deletion after account closure.
Do I need to register with the ICO to run a loyalty programme?
Most UK businesses that process personal data for commercial purposes need to register with the Information Commissioner's Office (ICO) and pay the annual data protection fee. The fee is £40–60 per year for most small businesses. Running a loyalty programme involves commercial processing of personal data, so ICO registration is typically required. Check the ICO's self-assessment tool at ico.org.uk to confirm your specific obligations.