“Retailer loyalty apps” – Current legal developments and what they mean for businesses

Retailer loyalty apps have become a fixture of everyday consumer life across Europe, with Germany serving as a prominent example of this widespread trend. A recent representative survey, commissioned by the Federation of German Consumer Organisations (vzbv), found that 78% of smartphone users rely on at least one loyalty app from the four major German food retail groups: Edeka Group, Rewe Group, Schwarz Group and Aldi (representative vzbv online survey of 14 January 2026, available here). Download figures surged by 72% in the first two months of 2025 alone, while total usage time reached 615 million hours in 2024 (see CE-Markt: Use of retail apps on the rise, 2025, available here).

The value proposition appears straightforward: consumers receive coupons, personalised discounts and gamification perks. In return, retailers gain granular insight into purchasing behaviour through the collection and analysis of personal data. These apps are almost invariably marketed as “free of charge”.

However, under the heading ”paying with data”, consumer protection organisations have begun to challenge the premise of these business models. Their central claim is that users do not receive discounts for nothing – it is actually their personal data they pay with. 

Four questions at the heart of the debate

The legal discussion around “paying with data” is a genuinely cross-cutting and cross-border issue, engaging national civil law as well as European regulatory frameworks, including unfair competition regulations and the General Data Protection Regulation (GDPR). The current discussion clusters around four core questions:

1. Must businesses display a "total price" when consumers provide personal data to register for retailer loyalty apps?
2. May retailer loyalty apps be advertised as "free of charge" if users provide personal data in return?
3. Does offering discounts exclusively via a specific app constitute unlawful discrimination against offline consumers?
4. On what legal basis is the personal data collected through retailer loyalty apps processed?

Question 1: Must businesses display a "total price" when consumers provide personal data to register for retailer loyalty apps?

Although Art. 6(1)(e)) Consumer Rights Directive generally requires disclosure of the total price prior to registration, the application of this requirement is less clear where the consumer provides personal data rather than a payment. In these circumstances, there are good arguments for a narrow, value‑oriented understanding of the term “price” under which non-monetary compensation would fall outside its scope and no obligation to display a total price would arise:

• Narrow reading of "price": A narrow reading of “price” under the Consumer Rights Directive obliges the retailer to indicate the total price owed for their service, but not to disclose other forms of consideration, such as the provision of personal data.
• Monetary quantifiability required: This can be understood as an interpretation of "price" that refers exclusively to an amount capable of being quantified and calculated in monetary terms.
• No obligation to disclose "other considerations": A high level of consumer protection does not require retailers to disclose "other forms of consideration" under the Consumer Rights Directive.
• Complementary transparency safeguards exist: The information and transparency obligations under Art. 13 and 14 GDPR ensure that data processing is disclosed irrespective of any price indication.

By way of example, these arguments for narrow interpretation of the term “price” were likewise endorsed by the German Stuttgart Higher Regional Court (HRC) in a recent judgment (judgment of 23 September 2026, file no. 6 UKl 2/25) examining the retailer loyalty app "Lidl Plus" operated by one of Germany’s largest food discounters, Lidl. The Stuttgart HRC examined the relevant German provision implementing the Consumer Rights Directive, and concluded that Lidl is not required to indicate a total price when consumers register for its loyalty app.

Also the European Data Protection Supervisor (EDPS) likewise expressed reservations in its Opinion on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content. The EDPS observed “that it will be difficult, and sometimes impossible, to easily identify the cases where personal data are actively provided as counter-performance for the provision of a “free” digital services or contents […]. For these reasons, the EDPS considers that the term “data as a counter-performance” should be avoided.” (Opinion, p. 10).

Question 2: Can apps be advertised as "free of charge"?

At the European level, the Unfair Commercial Practices Directive provides the relevant framework (see No. 20 of its Annex I in conjunction with Art. 5(5) Unfair Commercial Practices Directive), prohibiting the misleading presentation of a product or service as “free of charge”. If the provision of personal data were to qualify as a form of cost, marketing such apps as “free” could constitute an unfair commercial practice. Proponents of such a view favour a narrow interpretation of the term “cost” and advance the following argument:

• The Unfair Commercial Practices Directive targets “subscription or cost traps” – situations in which consumers face hidden monetary charges – rather than scenarios involving the provision of personal data.
• The prohibition applies only to costs of which the consumer is not expressly informed. Since the relevant terms of use of the specific retailer loyalty app explicitly state that no monetary costs arise and consumers do not have to pay money for using the app, there is no deception.

Others, however, take a more expansive position and advocate a broader understanding of the term “costs”. The following arguments are put forward in support of this view:

• Equivalence with monetary payment under the Digital Content Directive: The Digital Content Directive (see its Art. 3(1) subpara. 2) treats the provision of personal data for purposes such as advertising as equivalent to a monetary payment.
• Remuneration concept under the European Electronic Communications Code: The Directive on the European Electronic Communications Code indicates in its recital 16 that the concept of "remuneration" covers situations where a provider requests – and a consumer provides – personal data. This supports treating data provision as a form of economic exchange.
• Consumer protection rationale: Where access to an app depends on the provision of personal data, there is a real risk that the economic value of the consumer’s consideration remains hidden – and that consumers fail to recognise the potential burden (e.g. targeted advertising) that may result from sharing their data.

The Court of Justice of the European Union (CJEU) has not yet definitively ruled on the interpretation of the applicable legal regime. However, in case C‑371/20, the CJEU adopted a broad understanding of the term “paid” in the Unfair Commercial Practices Directive. The CJEU interpreted “paid” to encompass any consideration of monetary value, regardless of whether it consists of money, goods, services, or other assets. In doing so, the CJEU referred, among other factors, to the particularly broad material scope of the directive and to its objective of ensuring a high level of consumer protection.

The CJEU will have an opportunity to further elaborate on the issue. This is because the German Federal Court of Justice (FCJ), taking into account the divergent interpretations set out above, has referred the matter to the CJEU for a preliminary ruling (FCJ, referral order of 25 September 2025, file no. I ZR 11/20), which is currently pending under case number C‑643/25. The referred question is as follows:

“Does the term ‘cost’ within the meaning of point 20 of Annex I to Directive 2005/29/EC, (1) in conjunction with Article 5(5) thereof, also cover the disclosure of personal data and consent to their use for commercial purposes?”

For businesses operating retailer loyalty apps, a potential CJEU judgment confirming that the provision of personal data constitutes ‘costs’ could have far‑reaching consequences:

• Advertising restrictions: Presenting retailer loyalty apps as "free of charge" could become impermissible and require reclassification.
• Disclosure obligations: Retailers may need to highlight the provision of data as an economically relevant consideration and embed this transparently in customer communications, including terms of use.
• Regulatory recalibration: Information obligations under both consumer protection law and data protection law may need to be reassessed and potentially harmonised in the retailer’s data policies.

However, a final decision will take some time. The CJEU has not yet taken any further procedural steps, such as scheduling an oral hearing or requesting an Advocate General’s opinion. It therefore appears unlikely that a decision will be issued before the end of 2026. 

Question 3: Discrimination of offline consumers

Another issue concerns whether making discounts available exclusively via a retailer loyalty app constitutes discrimination against “offline consumers”, who are unable to benefit from such offers or can do so only after registering for the relevant app.

The Federation of German Consumer Organisations (vzbv) is currently pursuing a number of actions for injunctive relief against German food retail groups, seeking to require that discounts also be made available to so‑called offline consumers. However, in a first decision concerning the German food discounter Netto, the Bamberg Higher Regional Court held that granting discounts exclusively via a retailer loyalty app does not constitute unlawful discrimination (HRC Bamberg, judgment of 18 March 2026, file no. 3 UKl 16/25 e). The court emphasised that retailers are not required to accommodate the individual preferences, abilities, or personal circumstances of consumers. It further noted that access to app‑based offers may affect consumers differently; for example, visually impaired individuals may find digital applications more accessible than printed advertising. Further hearings in other cases concerning other German food retailers are scheduled for later this year. 

Question 4: Data protection issues

While the consumer law dimensions of "paying with data" attract significant public attention, the data protection questions are equally consequential for businesses. To date, these issues have not been the subject of case law in the specific context of retailer loyalty apps. Nevertheless, the underlying principles are increasingly well defined, leading to rising compliance pressure.

Legal basis for processing

A review of the privacy policies of several retailer loyalty apps from major retailers apps reveals that providers rely on different legal bases under Art. 6 GDPR:

• Consent: Some providers obtain user consent, either as a universal acceptance of all conditions during registration or as separate, granular consent for data processing related to personalisation.
• Contractual necessity: Other providers argue that personalisation is necessary for the performance of the user agreement.
• Legitimate interests: A third group relies on the balancing test under Art. 6(1)(f), asserting that personalised offers serve the controller's legitimate business interests without overriding the user's rights.

Under the GDPR's architecture, these legal bases are fundamentally equal and may be applied independently of each other. However, each comes with specific requirements. For instance, where processing is based on contractual necessity or legitimate interests, the controller must be able to demonstrate and prove which data is collected and processed for what purpose. Where consent is the chosen basis, it must be freely given, specific, informed and unambiguous (Art. 4 No. 11 GDPR). Whether a given app's consent mechanism meets these standards must be assessed on a case-by-case basis.

Retention requirements

To comply with retention requirements, retailers must also take into account the principle of data minimisation under Art. 5(1)(c) GDPR and the requirements set forth in the case law of the CJEU (i.e. case C-446/21, Schrems III). Both preclude the unlimited storage of personal data. The purpose of data processing (i.e. the personalisation of the app experience) can, at the latest, no longer be fulfilled once a user deletes their account in the respective retailer loyalty app. In this case, the user's personal data must also be deleted. However, it is also conceivable that the purpose of data processing ceases to apply while the user is still using the retailer loyalty app. This may be the case, for example, where the user's personal data is collected over a very long period of use and this historical data no longer corresponds to the user's current interests. 

Takeaways for businesses

For businesses operating loyalty programmes or any service that collects personal data in exchange for benefits, this is a moment for proactive review. Three priorities stand out:

First, it is essential to conduct a comprehensive inventory of all relevant apps, loyalty programmes and data-driven services, and to understand what data is collected, for what purposes, on what legal basis, and how long it is retained.

Second, businesses should critically assess customer communications. If apps or services are advertised as “free of charge”, they should evaluate the risk that this description may need to be adjusted due to stricter legal requirement in the future and prepare alternative messaging in advance.

Third, it may be advisable to developcontingency scenarios for the possible outcomes of the pending CJEU proceedings. The regulatory landscape in EU jurisdictions may shift quickly once there is further guidance from the CJEU.