With a nod to Data Privacy Day (January 28), California Attorney General Rob Bonta announced an enforcement sweep of loyalty programs operated by retail, home improvement, travel, and food service companies.  The California Consumer Privacy Act (CCPA) defines a “financial incentive” as “a program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information,” Regs. § 999.301(j) (emphasis added), and has transparency, choice, and fairness requirements for such a program to be offered to Californians.  The Office of the Attorney General of California (OAG) has taken a very broad approach to applying the CCPA’s financial incentive rules to loyalty programs, essentially treating a program as a financial incentive if it collects any personal information as part of its operation.

The CCPA’s financial incentive rules require that businesses must give consumers notice of the material terms of any financial incentive program.  The CCPA does not define “material term” but the OAG has given us some guidance as to what it believes are material terms for loyalty programs.  The notice must also include a summary of the financial or price or service difference offered; the value of the financial incentive; the categories of personal information implicated by financial incentive; how the consumer can subscribe (prior opt-in consent) and terminate (withdraw consent) participation; and an “explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data. . . .” Regs. § 999.307(b)(1)-(5).  There are various other CCPA requirements that businesses need to comply with in implementing their loyalty programs.  The data and benefit valuation methods and balancing requirement require strategic thought, including regarding trade secrets protection.

In the enforcement sweep, the OAG issued notice of noncompliance letters to “a number of businesses” that offer “financial incentives, such as discounts, free items, or other rewards, in exchange for personal information. . . .”  The businesses have 30 days to cure and come into compliance with the CCPA.  This isn’t the OAG’s first shot at targeting alleged privacy issues in loyalty programs.  On July 19, 2021, the OAG issued a press release summarizing its first year CCPA enforcement, which we covered here.  Most of the 27 resolved exemplary cases dealt with notice deficiencies and inadequate disclosures, including loyalty programs.  The businesses in these exemplary cases included both brick and mortar and online-based businesses.

Also in the press release is a one-off statement from the OAG that may confuse some readers: “Businesses are required under CCPA to provide a notice of financial incentive if profiting from the collection of customers’ personal information.”  This is an overly broad statement.  A business can profit from the collection of personal information without offering a program that would qualify as a financial incentive under the CCPA.  Perhaps this was just an attempt at rephrasing Attorney General Bonta’s quote about businesses finding new ways to profit from consumer data.  Either way, loyalty programs are an enforcement priority and the OAG wants businesses to be transparent about their data practices.

Note the California Privacy Rights Act (“CPRA”), which amends the CCPA, adds an additional requirement for loyalty programs effective January 1, 2023: a business is prohibited from requesting a consumer provide opt-in consent for a loyalty program for at least 12 months after the consumer last declined to provide opt-in consent for that program.  The CPRA also defines “consent,” something the CCPA does not.  Businesses should take review their loyalty programs for CCPA compliance now, and begin preparing for the CPRA.

For more information, contact the authors.