Typically no.
Loyalty programs are typically permitted to deny a deletion request from an active member as information that was collected about the member from third party sources is outside the scope of the deletion right granted by the CCPA, and information provided by the consumer to the company falls within one of six exceptions to the right of deletion that apply to loyalty programs.
If a loyalty program receives a deletion request from an inactive member (e.g., a former member of the loyalty program, or a member whose points have expired), they are also typically permitted to deny the request based upon one, or more, of the following exceptions:
|
Exception
|
Description of Exception
|
Applicability to Loyalty Program
|
|
Detect wrongdoing.
|
If personal information is maintained because it is needed to detect security incidents, or “protect against malicious, deceptive, fraudulent, or illegal activity,” a business is not required to honor a deletion request.1
|
✓ Personal information is often needed by a loyalty program sponsor about inactive accounts to protect against deceptive and fraudulent activity such as multiple accounts being created by a single consumer, or attempts to double count purchases or benefits.
|
|
Repair errors.
|
If personal information is maintained because it is necessary for a business to “identify and repair errors that impair existing intended functionality,” a business is not required to honor a deletion request.2
|
✓ Personal information is often needed by a loyalty program sponsor about inactive accounts to identify any errors in its process for collecting, maintaining, or tracking accumulated points or value.
|
|
Internal uses aligned with consumer expectations.
|
If personal information is maintained because it is necessary for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business,” a business is not required to honor a deletion request.3
|
✓ Personal information is often needed by a loyalty program sponsor about inactive accounts for numerous uses that are aligned with the expectation of the consumer at the time that they supplied information to the business. These might include internal accounting relating to members’ former points, internal accounting relating to members’ paid-out benefits, auditing, analytics, and improving the operation of the overall program.
|
|
Internal uses aligned with the context of collection.
|
If personal information is maintained “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” a business is not required to honor a deletion request.4
|
✓ Personal information is often used by a loyalty program about inactive accounts in a manner that is compatible with the context in which the consumer provided the information. Such contexts are often disclosed in a loyalty program’s privacy notice and include internal accounting, auditing, analytics, and improving the operation of the overall program.
|
|
Comply with legal obligations.
|
If personal information maintained by a business is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.5
|
✓ Personal information about inactive accounts is often maintained in order to comply with tax, escheatment, and corporate accountability laws.
|
The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an inactive loyalty account.
1. CCPA, Section 1798.105(d)(2).
2. CCPA, Section 1798.105(d)(3).
3. CCPA, Section 1798.105(d)(7).
4. CCPA, Section 1798.105(d)(9).
5. CCPA, Section 1798.105(d)(8).
[View source.]
