Artificial Intelligence (AI) promises the hospitality industry a revolution for loyalty programs: hyper-personalized offers, improved customer loyalty and maximized revenue. AI can analyze data and recognize patterns on a scale that is humanly impossible. But how do you ensure this technology complies with applicable regulations such as the AI Act and the AVG? How do you balance innovation with legal compliance? In this article, we provide some practical guidance for compliant and future-proof use of this technology.
From a marketing perspective, data is still gold. As a rule, therefore, we try to collect as much personal data about customers as possible; think of name and address details, buying behavior, customer communications, social media interactions, data obtained from third parties, data provided by the customer himself, for example through a survey, etc. All very valuable data for a personalized digital marketing campaign.
However, actually collecting personal data is not so easy in practice. An attractive loyalty program sometimes wants to convince a (potential) customer to create an account and fill in a list of personal data (20 points if you also fill in the optional fields). The customer then becomes a member. The idea that as a customer you belong to an exclusive "club" often does well, as does the prospect of a free hotel stay if you accumulate enough points.
Suppliers promise the hospitality industry various tools in this regard, which first classify customers into segments (e.g., "new customers," "best customers," and "intermittent customers," but often a lot more specific), then AI is unleashed on these segments and a prediction is generated (per segment) regarding customer behavior. Hyper-personalized offers are then based on that.
How do you align such a practice with relevant regulations such as the AI Act and the AVG? Here is a (non-exhaustive) list of some key compliance considerations.
If you base participation in a loyalty program on consent, note that there are often different processing activities for different purposes. Consent must be sought separately for each purpose.
First, distinguish the various processing activities (and their related purposes), for example:
Participation in the loyalty program;
Classifying customers into segments;
Sending personalized direct marketing messages.
A common remark from marketing departments is, the more consent boxes that have to be checked, the sooner the (potential) customer will drop out. For each purpose, check carefully whether another basis can be used such as legitimate interest. Sending personalized marketing messages must be based on consent. Make sure the consent box is not a 'mandatory field', it should not be a condition for participation in the loyalty program."[1]
Art. 13 of the AVG applies to personal data collected directly from the customer. Provide a comprehensible explanation of the loyalty program in the (online) privacy statement, stating the various processing activities, purposes and bases. Insofar as the content of advertising texts is generated through AI and this qualifies as generative AI, a marking obligation applies to the provider of the AI system[2].
The danger of unleashing AI on customer data is that customers often do not expect it. It must be avoided that any personalized offers and related prices vary by customer to the point of being discriminatory or that a message is personalized to the point of being too intrusive. Personal data should not be processed in a way that is prejudicial, unlawfully discriminatory, unexpected or misleading to the data subject."[3]
Only use loyalty member data for direct marketing purposes that are in line with their expectation, such as their purchase history. Avoid web-scraping.
Automated decision-making
The moment an automated decision is used to generate a prediction of customer behavior and a personalized advertisement is shown based on this prediction, in most cases it will not be a decision that "significantly affects" a person, as referred to in Art. 22 AVG.
However, the decision may well significantly affect individuals, depending on the specifics of the case, including:
The intrusive nature of any profiling process;
the expectations and desires of the individuals involved;
the use of knowledge about the vulnerabilities of those approached.[4]
In short, avoid collecting too much data on customers, take into account customer expectations, and avoid using special personal data or knowledge of data subjects' vulnerabilities.
Want to know more about this topic? Please contact Elise Troll, legal counsel at Kennedy Van der Laan. Elise advises companies and organizations in the field of privacy compliance, she assists various national and international clients in issues concerning the AVG, and she litigates in civil privacy cases.
[1] Art. 4 (11) AVG.
[2] Art. 50 (2) AI Regulation.
[3] EDPB Guidance 4/2019 on Article 25 "Data Protection by Design and by Default," Oct. 20, 2020, para. 69.
[4] EDPB Guidelines on automated individual decision-making and profiling for the purposes of Regulation (EU) 2016/679, Feb. 6, 2018, p. 26.
