On January 28, 2022, the California Attorney General (AG) announced an “investigative sweep” of businesses operating loyalty programs in the state, which it launched by sending multiple businesses notice of noncompliance with the California Consumer Privacy Act (CCPA). According to the AG’s press release, recipients included major corporations in retail, travel, home improvement and food services industries. These businesses will now have 30 days to cure the alleged CCPA violations or face enforcement action.¹

The Financial Incentive Rule

Loyalty programs have exploded in popularity as a means of lawfully obtaining personal information from willing consumers, but for companies operating in California, this means that these programs are also subject to the CCPA. The CCPA requires these businesses to give consumers notice of the material terms of the financial incentives program, including information about discounts or other benefits provided in exchange for the consumer’s personal information.² A financial incentive is defined by the CCPA as “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.”³ Importantly, notice is also required if the business provides any difference in the level or quality of goods or services in relation to collecting, retaining or selling consumers’ personal information.

This is not the first time the California AG has targeted loyalty programs for CCPA enforcement. In its enforcement overview released in July 2021, the Office of the AG highlighted one example of a grocery chain that failed to provide a Notice of Financial Incentive for consumers participating in its loyalty program. This sustained interest from the AG makes it all the more critical for businesses to ensure that they remain compliant with the CCPA’s provisions on loyalty programs.

How to Cure Violations

According to the AG’s press release, companies will have 30 days to fix the alleged violations before enforcement will begin. This involves providing notice that consumers’ personal information will be collected through the loyalty program.⁴ This notice must include the following:

• A summary of any financial incentive or any difference in the price or quality of services or goods offered.⁵
• A description of the terms of the financial incentive that includes the categories of personal information that will be implicated and the value of the consumer data.
• How the consumer can opt-in to the financial incentive or price or service difference and how they can withdraw at any time.
• How the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including a “good faith estimate” of the value of the consumer’s data on which the incentive is based.
• A description of the method used to calculate the value of the consumer data.⁶

Businesses that offer financial incentives online can give notice by providing a link to the section of the company’s privacy policy that contains this information.⁷ However, these requirements apply equally to businesses that collect consumers’ personal information in person at brick and mortar locations.

Takeaway

If a business is subject to the CCPA, the loyalty programs it sponsors are also subject to the CCPA. In light of AG enforcement in this area, companies should move quickly to review their loyalty programs to bring them into compliance with the CCPA’s financial incentive rules. Not only is it a priority for the California AG, but it also may involve strategic considerations, such as what the disclosure of consumer data valuation methods might mean for trade secrets protection. Companies would do well to exercise caution when establishing compliance, and conduct detailed reviews of their loyalty programs.

¹ Cal. Office of the Att’y Gen., On Data Privacy Day, Attorney General Bonta Puts Businesses Operating Loyalty Programs on Notice for Violations of California Consumer Privacy Act, Press Release (January 28, 2022), hereinafter “Press Release” available at https://oag.ca.gov/news/press-releases/data-privacy-day-attorney-general-bonta-puts-businesses-operating-loyalty.

² Cal. Reg. § 999.307(a)(1).

³ Cal. Reg. § 999.301(j).

⁴ Cal. Reg. § 999.301(n) “‘Notice of financial incentive’ means the notice given by a business explaining each financial incentive or price or service difference as requires by Civil Code section 1798.125, subdivision (b), and specified in these regulations.”

⁵ Cal. Reg. § 999.301(n) “‘Price or service difference’ means (1) any difference in the price or rate charged for any goods or services to any consumer related to the collection, retention, or sale of personal information, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any difference in the level or quality of any goods or services offered to any consumer related to the collection, retention, or sale of personal information, including the denial of goods or services to the consumer.”

⁶ Cal. Reg. § 999.307 (b)(1)-(5).

⁷ Cal. Reg. § 999.307 (a)(3).