The T-6 Legal Audit Every Loyalty Launch Needs
Six weeks before go-live, most loyalty teams are in execution mode. Creative locked. Tech in UAT. Comms plan signed off.
Then legal reads the mechanics. The timeline shifts.
This is predictable. It is also preventable.
What legal actually reviews
Legal review is an exposure audit. Your mechanics determine the surface; the surface determines the timeline.
Every mechanic you've built creates legal surface area — across data regulation, promotions law, consumer protection, and partner agreements. The teams that move through T-6 review without delays arrived with a mapped surface already in hand.
The Legal Surface Area framework
Four surfaces. Every loyalty program creates all four.
Data surface — every touchpoint where you collect, process, or share customer data. Opt-in flows, behavioural tracking, partner data transfers. In EMEA, this surface sits directly under GDPR. The test is whether your privacy notice accurately describes what your mechanics actually do.
Promotion surface — every mechanic with randomness or conditional value. Surprise rewards, mystery tiers, spin-to-win. Several EMEA markets classify these as games of chance, triggering promotions law review or gambling authority notification. Scale determines the threshold; the threshold is lower than most teams assume.
Value surface — every claim about what customers earn, receive, or redeem. "Free" with conditions. Points expiry. Tier benefits described as "exclusive." These read differently under DE, UK, and PL consumer protection law. Unqualified claims generate the most rewrite volume.
Partner surface — the gap between what your partner agreement allows and what your privacy notice says. Legal finds this gap at T-6. The fix takes weeks. Found at T-12, it takes a call.
Six things that change in EMEA at T-6
1. Points expiry language. "Expires after 12 months of inactivity" has market-specific requirements in Germany that differ from the UK and PL. One T&C version rarely serves all three markets cleanly.
2. "Free" reward claims. Any reward requiring a minimum action — spend, registration, opt-in — needs qualification. Most EMEA markets flag unqualified "free" in loyalty communications as a consumer protection issue.
3. SMS opt-in flows. Double opt-in requirements vary by market. A flow compliant in France may not meet the German standard. Multi-market simultaneous launches must be built to the most restrictive requirement.
4. Tier criteria disclosure. "Exclusive benefits for top members" triggers disclosure requirements in some markets. How you define tier thresholds, and whether you communicate them publicly, carries legal weight alongside commercial significance.
5. Partner data processing. Your DPA says the partner processes data for fulfillment only. Your CRM sends them behavioural segments for personalisation. Legal reads both documents at T-6.
6. Randomised mechanics. Mystery rewards at scale, surprise & delight tied to an algorithm — the threshold for promotions law classification is lower than most teams anticipate. Market matters. Volume matters. Both together matter most.
The pre-review audit
Before T-6, run a surface audit internally.
For each mechanic: name the surface type, list the markets it touches, and identify the default legal reading. Flag anything involving randomness, "free" language, data sharing across entities, or cross-market scope.
The goal is to arrive with known questions.
Legal review becomes a scheduled confirmation.
Legal Surface Area — the total legal exposure created by your program mechanics across four dimensions: data, promotion, value, and partner. Every mechanic you add increases it. Map it before T-6. The programs that ship on time reduced their surface before the review arrived.