As technology has come to mediate every aspect of our economic lives, the consumer experience has become a minefield of scams and tricks. Hidden fees reveal themselves at the end of purchases; subscriptions are easy to make and impossible to cancel. Sophisticated third-party pricing software allows sellers to tacitly fix prices, and personal data is increasingly being used to customize them to the maximum a given consumer is willing to pay.

In this Wild West of online commerce, customer loyalty programs enjoy a relatively benign reputation. After all, who doesn’t love a free birthday drink from their favorite coffee chain, or a flight “paid” for with frequent-flyer miles? But as an eye-opening new paper from our friends at Vanderbilt Policy Accelerator makes clear, loyalty programs are in many ways the ultimate device of ecommerce extraction, combining hidden fees, bait-and-switches, subscription traps, and surveillance pricing in opaque ways.

We hope you’ll read their blog post summary below, which originally appeared on the Vanderbilt Policy Accelerator Substack, and check out the full paper. Authors Samuel A. A. Levine and Stephanie T. Nguyen, the Federal Trade Commission’s former director of consumer protection and chief technologist, make a compelling case that loyalty programs deserve more scrutiny as they skyrocket in popularity. At the end of the paper, they provide actionable regulatory proposals for state regulators to get started.

Loyalty programs are everywhere. From airlines to the grocery store and gas station, companies are seeking your loyalty in exchange for discounts. These programs look simple: collect your points, get some deals, and save some money. Chipotle offers “free guac on your next order.” Retailers like Nordstrom offer a “Stylist Ambassador Program” in order to invest in its best customers. American Airlines and Delta offer tens of thousands of bonus miles if consumers enroll in their co-branded credit cards, often enough for a free flight. Similarly, Marriott, Hilton, and Hyatt entice new members with free-night certificates, instant status upgrades, or large point deposits for joining and spending a set amount quickly.

But the reality is that many loyalty programs function as data-harvesting machines. These programs track what we buy, how we search, and even how we navigate our cursors across a screen — building hyper-detailed profiles that companies can use to gauge and direct how much each of us are willing to pay. In recent years, regulators around the world have been sounding the alarm that firms can use loyalty programs to rip off their most loyal customers.

In a new paper, we outline how loyalty programs work and the dangers they can pose for consumers. We illustrate the three stages of how loyalty programs devolve — the Hook, the Hack and the Hike.

The Hook: Companies entice consumers with upfront benefits and discounts to attract and keep them purchasing. This structure is intentional. “Devise a compelling hook,” Harvard Business Review advises, to “attract customers and keep them engaged.” In recent years, companies are getting creative with these hooks. Mastercard and Nike have pitched “challenges” and “mini-games” to coax more data from loyal customers. Panera promotes bonus rewards and freebies for completing short feedback surveys. Peloton often recognizes members through social media badges and shoutouts. But too often, they operate like a Trojan horse — the programs look generous at the gate, but once inside, they unload hidden fees, intrusive data extraction, and traps that surface only later. The FTC sued UberOne for trapping people in subscriptions, and burying them in hidden fees. Fleetcor was accused of charging loyal consumers more than they actually saved in the program. Grubhub was sued for ripping off loyalty members with junk fees, belying their promise of free delivery. The Hack: Data has become the currency of retail strategy, and loyalty programs are among the most powerful vehicles for collecting it. Companies extract deep insights into consumer behavior — including purchase patterns, how often they shop, and how much price pain they will tolerate — so they can experiment with rewards, segment customers by willingness to pay, and steadily ratchet up data extraction. In fact, experts have argued that companies with loyalty programs like airlines are like banks and data collecting businesses, positioned as a lucrative pathway for companies to gain profits. For example, McDonald’s nearly 10,000-word privacy policy notes how the company can monitor customers’ precise geolocation, browsing history, app interactions, and social media activity. The company then uses this data to build profiles on its customers — predicting their “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.” McDonald’s leverages these psychological profiles to feed its machine-learning systems and drive repeat customer engagement over time. The Hike: Firms can raise fees, cut benefits, or deploy coercive upselling – tactics that can effectively flip the bargain, turning loyalty programs into a net cost for consumers. Under ordinary circumstances, these changes might prompt users to walk away. But firms increasingly erect barriers to exit — deferring rewards, adding design friction, and making cancellation deliberately cumbersome. These programs are not charities — they require large upfront investment, and companies expect large returns. In recent years, those returns have come less from building loyalty than from extracting it — by raising fees, trimming benefits, and using dark patterns to frustrate cancellation.

The result is a significant transfer of wealth from consumers to corporations, under the umbrella of “loyalty.” “We are at some kind of inflection point,” said Clint Henderson, a managing partner at The Points Guy, a website focused on travel and credit card loyalty programs. “It’s getting harder and harder for consumers to win.”

The paper warns that the stakes extend beyond rewards programs. As companies shift from uniform pricing to personalized, data-driven pricing, loyalty programs serve as a proving ground for models that threaten affordability and fairness across the economy.

The good news is that states already have the power to protect the integrity of loyalty programs and address harmful practices that are corroding their value to consumers. The report shows how unilateral changes to loyalty programs — like price hikes or benefit cuts — can be challenged as deceptive, unfair, or abusive. It explains how states can leverage their privacy laws to curb the most intrusive forms of surveillance, and how they can ensure consumers can enroll in programs without being misled and cancel them without being trapped. Offering a detailed set of enforcement strategies, the report maps how states can attack the harms at every stage of the loyalty lifecycle — from the hook, to the hack, to the hike.