California AG Focuses CCPA Enforcement on Loyalty Programs

BakerHostetler
Contact

BakerHostetler

On Jan. 28, 2022, the California Attorney General Rob Bonta (AG) published a statement putting businesses that operate loyalty programs on notice that the California Consumer Privacy Act (CCPA) requirements for a Notice of Financial Incentive (NOFI) is likely going to be an area of focus for enforcement. This is the first time the AG has published a public statement singling out a particular business practice as a CCPA enforcement priority. Based on our experience assisting several clients with responding to similar Notices of Violation (NOV) involving the NOFI issue, here is a list of key issues that are likely at stake.

Industry Focus

The investigative sweep announced by the AG on Jan. 28 included a number of NOV letters sent to businesses in the retail, home improvement, travel and food service industries. The AG also highlighted in the statement that data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers received notices to cure. In the past year and a half, since the CCPA enforcement began, a number of our clients that operate loyalty programs received NOV letters that included the NOFI issue, but it was not the single focus. By publishing a public statement, the AG is signaling that his office expects to focus on enforcing the NOFI requirement for businesses that offer loyalty programs. It is likely that even if the initial NOV letter only alleged a violation with respect to the NOFI, the AG may follow up with additional notices of violation once the investigation begins, which could result in a review of other areas of the CCPA compliance program, including what personal information is collected for the loyalty programs, how loyalty program data is used or shared with third parties, and how the business handles consumers’ requests for access, deletion and opt-out.

Right to Cure

Under the CCPA, businesses have 30 days from the date of the NOV letter to cure alleged violations, and the AG will ask businesses to respond to these letters within the statutorily allotted 30 days. In our experience, the NOV should set out the AG’s allegations in terms of what it believes to be non-compliance issues, which may include a lack of a NOFI online as part of the business’ online privacy policy, lack of a NOFI offline (if loyalty program sign-ups occur offline) or both. The NOV may have also included a Request for Information, which is an area the AG is interested in investigating further but is not yet providing notice of a violation. Given the complexity of data practices around loyalty programs, curing any such alleged violations within the 30 days can be challenging for most businesses. This right to cure will also no longer be available starting Jan. 1, 2023, and the new California Privacy Protection Agency would have the discretionary power of whether to provide the business with a time period to cure.

What Businesses Should Do When They Receive an NOV

  • Due Diligence: The business should conduct due diligence on the accuracy of the allegations. For NOFI questions, it should identify the business practices relating to loyalty programs and discount offers and determine whether a NOFI should be provided. If the business has several loyalty programs, consider whether each program warrants a separate NOFI for the consumers’ benefit.
  • Cure Within 30 Days: For businesses that are looking to cure, the AG will expect that a NOFI complies with not only the requirements under the CCPA but also the specific requirements under the regulations as to the content and delivery of this notice, including but not limited to:
    • Prior Notice and Opt-In: It is important that the business provide this notice to consumers before they opt in to the program, meaning the NOFI must be disclosed when the consumers are signing up to participate in loyalty programs. This requirement to obtain prior opt-in consent would extend to offline settings. To illustrate when the AG expects consumers should be receiving the NOFI, the AG specifically mentions offline examples in its statement: “… our data isn’t only collected when we go online. It’s collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store.” Businesses that collect personal information offline should carefully consider when and how they present the NOFI.
    • Clear and Easy to Read: A NOFI must be easy to read, should clearly describe the material terms of the financial incentive program and provide instructions on how to withdraw from any program.
    • Non-Discrimination Right: Businesses that receive NOV letters should also note that these allegations of violations involving the NOFI appear to be separate from any allegations that discrimination occurred. Based on our experience with the AG investigations and as articulated in the latest AG statement, businesses must provide a NOFI when personal information is required for participation in loyalty programs, regardless of whether the business discriminates against a consumer, as set out under Section §1798.125 of the CCPA.

Takeaways

A business that offers loyalty programs, customer rewards, points and perks, and other similar types of financial incentive programs for the collection, sale and/or deletion of personal information must provide prior notice to consumers that clearly describes the material terms of the program, which would enable consumers to make an informed decision about participation. This notice must be clear, easy to read and readily available to the consumers prior to their opting in to the financial incentive program.

If a business receives an NOV letter, it should carefully review the specific allegations of violations and respond to the notice to cure within 30 days. Any business that has not yet received an NOV but operates a loyalty program or offers discounts or other VIP customer programs that could result in different levels of service should review the compliance requirements under the CCPA and look to cure any deficiencies related to the NOFI.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide