Does this compromise any of our data / privacy / security requirements?

No.

Think of Passes the same as a more beautiful, engaging form of email or text message (SMS). Whatever information you are allowed to display on an email or SMS can be displayed on a Pass without any additional legal sign off. Any information that is not authorised to be sent in the public domain should simply not be put on the Pass.

Additionally, a user has to choose to add a Pass to their wallet and also have the option to turn off location services and push updates for each Pass they store in their wallet. The consumer controls how they are engaged/contacted through this channel (the same way they may choose to mark an email as spam). That said, the channel is far less intrusive to the customer, and the customer is not bombarded with emails / SMS. They will simply receive a lock screen notification. If you treat this new channel with respect and deliver useful messages (e.g. location based message to easily access their membership card or coupon, or when special offers are available - e.g. rewards that are less points to purchase) then the customer chooses to keep the pass with the notifications setting on.

The benefits of Apple and Google wallet passes

What's the difference between the latest PassKit platform and CherryPie?

Scan your passes using the CodeREADr app

How do I prevent multiple people downloading the same pass?

Subscribe to webhooks and consume real-time event data from PassKit