Mobile Wallet notifications: transactional, marketing, and GDPR consent.

Introduction

Mobile wallets (Apple Wallet and Google Wallet) have become powerful tools for delivering loyalty cards, tickets, coupons, or subscriptions directly to consumers’ smartphones.

• Apple Wallet comes pre-installed on all iPhones and Apple Watches. Each brand that issues its own passes via Apple certificates creates a distinct object that users can manage independently (notifications, display, deletion).
• Google Wallet on Android depends on the device manufacturer: it may come pre-installed or be downloaded from the Play Store. During initial setup, just like with Apple Wallet, users must accept or decline notifications.

👉 These specificities directly impact how a brand can communicate with its customers, and particularly the compliance obligations regarding user consent and GDPR.

How Wallet Notifications Work

Apple Wallet

• Notifications are delivered only via pass updates.
• Whenever a field changes (points balance, loyalty status, event reminder), a notification can be sent.
• Some brands use a dedicated promotional field: updating it triggers a notification, allowing marketing messages through the pass update mechanism.
• Unlike a native app, which must manage notifications itself, Apple Wallet handles them automatically.

User Settings

• Each pass is linked to a unique Apple identifier.
• The user can enable or disable:
  • Automatic updates
  • Push notifications
  • Contextual pre-opening (e.g., automatic display of a pass when entering a store)

Example of iOS Configuration:

Global iOS Notification Settings:

Google Wallet

• Such as Apple, Google automatically sends notifications when a pass is updated.
• However, Google also offers a notifications API, allowing a direct push message linked to a pass without updating any field.
  • Example: “-20% this weekend at your favorite store.”

⚠️ Technical Limitations:

• Maximum of 3 push notifications per pass per day
• Suspension possible in case of abuse (Google Wallet Developer Docs).

Global notification settings for Google Wallet

Request for permission to receive notifications

Transactional vs Marketing Notifications

Transactional Notifications (Service-Related)

• They stem directly from a contract or membership in a loyalty program.
• Examples:
  • A program member receives a notification: “You have earned 50 points.”
  • A ticket buyer receives a reminder: “Your concert starts tomorrow.”
  • A sports club member receives a notification indicating only 3 entries remain.
  • Legally, they are covered by contract execution (Terms & Conditions).
  • No marketing consent is required, as they are necessary for the provision of the service.

⚠️ Note: A prospect who downloads a pass without subscribing to a service is not covered by this framework. Any notification received in this case is considered marketing outreach.

Marketing Notifications (Prospecting)

• Their purpose is to promote a product or service without a direct link to an existing contract.
• Examples:
  • Updating a promotional field to announce an offer.
  • Sending a notification via the Google API: “-20% on the new collection.”

Consent and GDPR Compliance

Legal Basis

• GDPR Articles 6 & 7 + CNIL Guidelines:
  • Transactional → allowed because it is linked to contract execution.
  • Marketing → considered commercial prospecting → requires a free, specific, and informed opt-in.

Collecting Consent

• Can be obtained:
  • During registration (website, app, in-store) using the The Wallet Crew registration forms
  • On the pass download landing page.
• Mandatory distinction between:
  • Consent for service notifications
  • Consent for marketing notifications
• Validity period:
  • In the EU, consent must be renewed at least every 3 years, unless the user continues to interact, for example by opening emails or making purchases.

Privacy Policy & Legal Notices

They must be updated to specify:

• That Wallet passes generate notifications
• The distinction between transactional and promotional notifications
• User options for managing or disabling notifications
• The purposes of data processing and the use of marketing consent

Best Practices for Brands

1. Map use cases: clearly distinguish between transactional and marketing notifications.
2. Update legal documentation (privacy policy, legal notices, Terms & Conditions).
3. Provide a specific marketing opt-in for promotional notifications.
4. Inform users about their options for managing notifications.
5. Record and retain proof of consent for all marketing notifications.
6. Offer an additional opt-out within the Wallet pass:
   • Include a link in the pass to a preference management form.
   • Allow users to unsubscribe from marketing notifications only, while keeping transactional notifications active.
   • Make it easy to withdraw consent without requiring the user to delete the pass entirely.

Conclusion

• Apple Wallet→ notifications are limited to pass updates. It is possible to include a promotional field, but there is no API for free push notifications.
• Google Wallet → notifications via updates or via API; more flexible, but all marketing use must rely on an explicit opt-in.

👉 Implementing mobile wallets is not just a technical project. It is also a legal and organizational one:

• Adapt contractual and privacy documents
• Define a clear strategy for collecting and managing consents and opt-outs
• Ensure users have full control over their preferences
• Verify the overall functionality of the wallets
• Ensure the customer journey is coherent

For more information, see this article introducing the concept of mobile wallets

Properly implemented, Wallet becomes a powerful tool, combining marketing effectiveness with GDPR compliance.