Think of Passes the same as a more beautiful, engaging form of email or text message (SMS). Whatever information you are allowed to display on an email or SMS can be displayed on a Pass without any additional legal sign off. Any information that is not authorised to be sent in the public domain should simply not be put on the Pass.
Additionally, a user has to choose to add a Pass to their wallet and also have the option to turn off location services and push updates for each Pass they store in their wallet. The consumer controls how they are engaged/contacted through this channel (the same way they may choose to mark an email as spam). That said, the channel is far less intrusive to the customer, and the customer is not bombarded with emails / SMS. They will simply receive a lock screen notification. If you treat this new channel with respect and deliver useful messages (e.g. location based message to easily access their membership card or coupon, or when special offers are available - e.g. rewards that are less points to purchase) then the customer chooses to keep the pass with the notifications setting on.