posted Aug 14, 2016, 2:04 AM by Sami Lehtinen
updated Aug 14, 2016, 2:06 AM
- Finally Finland's largest retail chain announced that they're going to utilize the customer loyalty data. I've been wondering for a long time, why they do provide loyalty cards and register it with transactions if they don't actually utilize the data. During all this big data hype stuff, it sounds silly that someone got all the data, but they're not using it for anything. Yet I guess that's the norm in many places. There's data, but it isn't being used. Or is minimally used. Like in this case it was used to track monthly purchase sum, but there's just so much you could use the data for. Some people are horrified that their purchases are being tracked. Of course those have been tracked all the time. It's just that the information collected hasn't been well visible to them. All the data is still there and it's required by law to be kept for 7 years, so I'm pretty sure they've got it. So if you use any kind of loyalty card, don't be shocked if that information is used for something else than just getting discounts. Also the S-Group advertising has been extremely bad. They often offer products that I've already got, even if they well know it. As they said in one post, yes, it makes customers to think that they've got bunch of dorks at their advertising and IT department. Or maybe their staff is just highly incompetent or totally lazy. I can just post random badly made advertising to everyone. I could do better job, but I just don't really care. I think I've criticized them about exactly this earlier. If the targeted advertising is done right, it's just beneficial for both parties and data isn't being "abused" for other purposes. S-Group is so large that someone would notice if they abuse data. I've also written about collected data abuse. Data researcher could just copy data, take it at home and as "criminal independent actor" do all kind of "illegal" mix and match processing with it, and then give the summarized reports back which are based on combining information which isn't allowed by law. But who knows that. Here's my report, ahem, I forgot to mention sources. I know they trust me. So don't ask any questions you don't want to get answers for. If anything bad happens, they can always blame the independent actor, even if the process was totally "approved" by the management unofficially. Even better, someone makes the code and process ready. And then the "summer worker" who just doesn't know running the batch with this particular data would be illegal runs it. Hahah. Isn't this how things work (?). This is bit harderin in EU than it's in US, but sure there's ways to get it done, if it's profitable enough. At these times of big data, if there's something you want to hide. How about not doing it at all? Some people were very worried that their alcohol purchases are being tracked. If you drink so much it's a problem, how about cutting it or stopping completely? Related to the topics: chilling effect, panopticon, self-censorship and privacy.
- I also used their NFC loyalty program with Mobile Phone & App and it
worked perfectly. Awesome. I've just seen way too many technical fails
so I wasn't expecting it to work well, but it did. Of course we can derive many tinfoil hat theories from this. All
information collected, may and can be used against you. It will be seen
in court later what will happen.
- Very nice related blog post by Petteri Järvinen: Who's benefiting from customer data collection (in Finnish). Well. It didn't contain anything new at all and I agree with it. But that's just because all the stuff said in it was blatantly obvious.
- Some other discussion brought up the exactly same point I've written about earlier. All modern POS systems already this information by default, has been collecting for a long time. So there's nothing new about this. As soon as the 'integrated payment terminal' was the norm, since then it has been totally obvious that information IS there, always when you pay by card. Or even without integration it would be possible to combine that information. It just hasn't been fully pre-prosessed' but it doesn't mean that the information wouldn't be recorded, nor available if required after just jumping through a few hoops.
- Just like in one security audit, it was a clear requirement that all logging and history data has to be kept by the systems, preferably for 5 years. There just isn't one single location to quickly and easily fetch it from. But if required, it can be collected and processed as part of forensic analysis. Yes, it will take time, and require an effort, but is doable if required. Related Security Information and Event Management (SIEM).
- As I've written earlier, it would be also nice if the customer would get some actual benefits from the loyalty program. Some loyalty programs provide really marginal benefits to the actual customer. That's why I simply opt-out. If I would opt-in I would need to give them my info, they would spam me with ads, as well I still would benefit maybe 5€ / year from the loyalty program if I'm lucky. Is that really worth of it? Plus many loyalty programs require met o carry awkward loyalty card or something similar. Why would I do that for 5€ / year? No way.