Why Okendo Doesn’t Auto-Enroll Customers into Loyalty (and Why Your Customers are Worth More for It)
If you’ve spent any time setting up Okendo Loyalty, you’ve probably wondered why you can’t just opt all your customers in by default. They’re already shopping with you, you already have their email, and most of them are going to enjoy earning points. Why the extra step?
There’s a good reason, and I’d love to walk you through it.
The Regimes that Drive our Approach
Okendo is a global company, and we offer our products to merchants all across the world. More than that, our merchants sell their products to customers everywhere.
This means that we need to be conscious of the laws not only where your store is based, but also where your customers might be, because if we get this wrong, it’s our merchants who are likely to get in trouble. To this end, we target compliance with a few key markets:
- United States;
- Europe & The United Kingdom;
- Canada;
- Australia & New Zealand.
1. The United States
California sets the toughest bar. Its privacy law treats loyalty programs as “financial incentive programs”, which means customers have to opt in, and merchants have to spell out what data they collect, what the member gets, and how to leave. Regulators are enforcing it, too: DoorDash paid $375,000 in 2024 over disclosure failures, and in 2025 retailer Tractor Supply was hit with a record $1.35 million fine for opt-out and notice problems. California has also gone after “dark patterns” — sign-up flows nudging people into a yes they didn’t really mean. Auto-enrollment is exactly the kind of thing that draws attention.
And California isn’t alone. Twenty US states now have their own privacy laws, and the number keeps climbing. Colorado, for instance, requires loyalty programs to be genuinely voluntary and to collect only the data they actually need. Even where loyalty isn’t named outright, the rules generally stop merchants from punishing customers who decline to hand over data — which pushes you to ask first rather than enroll by default.
2. Europe and The UK
The GDPR sets a high bar for consent: it has to be freely given, specific, informed, and unambiguous. Europe’s top court settled the question of pre-ticked boxes back in 2019 — silence and pre-selected options don’t count. And you can’t reuse the consent someone gave to create an account to also sign them up for loyalty. Different purpose, different yes.
3. Canada
Canadian law is built around “meaningful consent”: merchants have to explain what they’re collecting, why, and how it’ll be used, in plain language a real person can follow. Vague, catch-all privacy notices don’t cut it. Quebec goes further still, demanding a clear opt-in asked separately from everything else — with eye-watering penalties for getting it wrong.
4. Australia and New Zealand
Both require notice when you collect data and fresh consent for any new use of it. So you can’t quietly turn “create an account” into “join our rewards program” — they’re separate purposes that need separate consent. Spam laws in both countries add a second layer for any marketing emails and texts you send to members.
Despite all the different laws, there is a consistent key principle that merchants need to be aware of: loyalty membership requires a genuine, knowing yes.
Our “Highest Common Denominator” Approach
We could try to build a product that does the bare minimum required in each jurisdiction – opt-out here, opt-in there, different flows for different countries. That would be a configuration nightmare, and any merchant who accidentally surfaced the wrong flow to the wrong customer would immediately find themselves breaking the law.
Instead, we take what we call a “highest common denominator” approach. We look at the key regimes our merchants operate under, find the strictest applicable rule, and build to that. If a customer in California needs an opt-in with a Notice of Financial Incentive, every customer gets one. If a shopper in Frankfurt needs a separate consent for marketing, that option is there for everyone.
It’s tempting to see all of this as friction. But customers who actively choose to join a loyalty program tend to be worth materially more than ones who get scooped in by default. They open the emails. They redeem the points. They come back, and they tell their friends.
When you see that opt-in step in the sign-up flow, you can thank the GDPR, the CCPA, the Privacy Act, and know that the customers who tick the box will still be there in twelve months.