The California Attorney General put loyalty rewards programs directly in his sights when he recently announced an “investigative sweep” of a number of businesses operating such programs in state. While it is lawful for businesses to offer financial incentives such as loyalty rewards programs to consumers in exchange for the collection of their personal information, state privacy laws require such businesses to fulfill certain requirements, including providing consumers with a Notice of Financial Incentive. Along with the January 28 announcement, the Attorney General sent notices to a number of businesses operating loyalty rewards programs alleging noncompliance with the California Consumer Privacy Act (CCPA). This Insight will review the four biggest takeaways for businesses stemming from this recent development.

Background: CCPA Implicates Loyalty Rewards Programs

By way of background, the California Consumer Privacy Act (CCPA) was passed in 2018 and took effect in 2020. Its primary purpose is to protect California consumer privacy rights by imposing duties on businesses that collect or maintain Californians’ “personal information.” The duties imposed on covered businesses include providing consumers certain notices explaining the business’s privacy practices, and not discriminating against consumers based on a consumer’s exercise of their CCPA rights.

4 Takeaways from Recent AG Announcement

Below are the four most significant takeaways from the Attorney General’s announcement:

1. The Attorney General is Committed to Enforcing the CCPA

First and foremost, the announcement demonstrates the Attorney General’s commitment to enforcing the CCPA even though enforcement responsibility will soon shift to the newly established California Privacy Protection Agency (CPPA). In the announcement, the Attorney General’s office noted that it launched a new online tool that will assist consumers to draft and send notices of noncompliance to businesses. Not only is the Attorney General’s office committed to enforcing the CCPA, this announcement signals it will be taking – and supporting – a proactive approach.

2. Businesses Must Provide Notice of Financial Incentive to Consumers

Businesses that should take immediate action are those that (a) received a notice of noncompliance from the Attorney General’s office; (b) received a notice of noncompliance from a consumer; or (c) offer a program, benefit, or other type of offering relating to the collection, deletion, or sale of personal information. Such offerings include loyalty programs involving rewards, coupons, and points.

The CCPA requires businesses offering financial incentives in exchange for personal information to provide consumers with a Notice of Financial Incentive. The notice must include the following:

• a summary of the financial incentive or price or service difference offered;
• the material terms of the financial incentive or price or service difference;
• a description of how the consumer can opt in;
• a statement of the consumer’s right to withdraw; and
• an explanation of how the financial incentive is reasonably related to the value of the consumer’s data.

3. There are Significant Potential Consequences for Noncompliance

The CCPA provides California residents the right to sue for a data breach resulting from failure to implement appropriate security measures. All other claims for violations of the CCPA can only be brought against a business by the California Attorney General, which will soon hand off this responsibility to the CPPA once this new agency gets off the ground. Businesses that face lawsuits brought by the Attorney General or CPPA could be liable for up to $7,500 in penalties per violation – an amount that can quickly balloon if a business has not been keeping up with its obligations.

4. Businesses Should Act Now Regardless of Whether They Have Received a Notice of Noncompliance

If a business receives a notice of noncompliance, it has 30 days to cure the violation and provide the Attorney General’s Office with “an express written statement that the violations have been cured and that no further violations shall occur.” If your business received a notice of noncompliance, you should consult an attorney, cure the alleged violation(s), and submit a timely response.

If your business did not receive a notice of noncompliance but offers a financial incentive program related to the collection of personal information, you should review the requirements under the CCPA, evaluate whether it provides a Notice of Financial Incentive to consumers, and evaluate whether the Notice of Financial Incentive complies with the CCPA.