Changes to Australia’s Privacy Act pose increased risks for retailers' loyalty programs

Retailers offering loyalty programs are facing heightened risks following changes to Australia’s Privacy Act, with the potential for severe penalties unless they take proactive steps to identify, store, or remove customer data appropriately.

Forensic services Partner, Conor McGarrity, highlighted that while the changes to the Privacy Act were necessary for stronger privacy protections, retailers must conduct thorough reviews of the personal data they hold, especially in relation to their loyalty programs.

“Loyalty programs collect vast amounts of personal data—addresses, phone numbers, transaction histories, and preferences—often without revisiting this information for years,” Conor said.

“The regulators are now taking a much harder stance, questioning whether all of this data is still necessary to retain. For retailers, that could mean facing scrutiny over data that no longer serves a valid business purpose.”

Conor said businesses need to take immediate action by conducting a comprehensive stocktake of all the personal data they have, particularly within loyalty programs, to assess what’s being stored, why it was collected, and whether it’s still relevant or necessary.

“It’s crucial for businesses to understand the full extent of the data they’re holding— especially as loyalty programs grow and evolve.

Many retailers are sitting on large troves of old data that could expose them to significant privacy risks,” he said.

“Retailers need to know where their data is stored, how it’s accessed, and whether it's truly needed anymore. Companies subject to the Australian Privacy Principles must take continuing and proactive steps, including training relevant personnel.”

Conor said the potential consequences for businesses that fail to comply could be devastating. “Companies could face penalties up to $50 million or three times the value of the benefit obtained from mishandling personal data. The regulator can now also issue infringement notices to companies for up to $66,000, without having to take claims through the courts,” he said.

“The key to compliance will be accountability and transparency—especially since individuals will now have the right to take legal action if their privacy is breached. For retailers, this means a sharp focus on ensuring that customer data, particularly in loyalty programs, is handled properly.”

To safeguard against privacy breaches, Conor recommended conducting privacy impact assessments and adopting a privacy-by-design approach when implementing new technologies or updating loyalty program systems.

“Retailers should also be mindful of cyber risks related to loyalty program accounts, such as credential stuffing attacks and compromised staff access. Multi-factor authentication is a simple yet effective way to protect customer accounts and reduce the risk of a breach,” he said.

In light of these changes, retailers are urged to take immediate action to ensure their loyalty programs comply with the evolving privacy landscape to avoid costly penalties and reputational damage.

 


 

For media enquiries:
Tate Papworth 
Manager, Media 
E: Tate.Papworth@bdo.com.au 
Ph: 0433411189