CCPA Privacy FAQs: Is a business required to delete loyalty program information if it receives a deletion request from an active member?

Bryan Cave Leighton Paisner
Contact

Typically no.

Loyalty programs can be, and are, structured in a variety of different ways.  Some programs track dollars spent by a consumer, others track products purchased.  Some programs are free to participate in, others require consumers to purchase membership.  Some programs offer consumers additional products, other programs offer prizes, money, or third party products.  All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.

One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”1  While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program).  As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request.  Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:

Exception

Description of Exception

Applicability to Loyalty

Complete a Transaction

If personal information is maintained because it is necessary for a business to complete a transaction with the consumer, a business is not required to honor a deletion request.2

 Personal information is often needed by a company that offers a loyalty program in order to complete a transaction requested by a consumer in connection with the program.  For example, if a consumer were to request to redeem loyalty points, a business may need to keep the consumer’s information in order to fulfill the request (e.g., to send earned products or services).

Provide a good or service

If personal information is maintained because it is necessary for a business to “provide a good or service requested by a consumer,” a business is not required to honor a deletion request.3

 Personal information is arguably needed in order to provide the service originally requested by the consumer – i.e., the operation of the loyalty program to which the consumer opted to become a member.

Detect wrongdoing. 

If personal information is maintained because it is needed to detect security incidents, or “protect against malicious, deceptive, fraudulent, or illegal activity,” a business is not required to honor a deletion request.4

 Personal information is often needed by a loyalty program sponsor to protect against deceptive and fraudulent activity such as multiple accounts being created by a single consumer, or attempts to double count purchases or benefits.

Repair errors. 

If personal information is maintained because it is necessary for a business to “identify and repair errors that impair existing intended functionality,” a business is not required to honor a deletion request.5

 

 Personal information is often needed by a loyalty program sponsor to identify any errors in its process for collecting, maintaining, or tracking accumulated points or value.

Internal uses aligned with consumer expectations. 

If personal information is maintained because it is necessary for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business,” a business is not required to honor a deletion request.6

 Personal information is often needed by a loyalty program sponsor for numerous uses that are aligned with the expectation of the consumer at the time that they supplied information to the business.  These typically include the operation of the rewards program, internal accounting relating to members’ accrued points, internal accounting relating to members’ requested benefits, auditing, and improving the operation of the overall program.     

Internal uses aligned with the context of collection

If personal information is maintained “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” a business is not required to honor a deletion request.7 

 Personal information is often used by a loyalty program in a manner that is compatible with the context in which the consumer provided the information.  Such contexts are often disclosed in a loyalty program’s privacy notice and include the operation of the rewards program, internal accounting, auditing, and improving the operation of the overall program.

Comply with legal obligations

If personal information maintained by a business is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.8

 Personal information is often maintained in order to comply with tax, escheatment, and corporate accountability laws.

The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.

For more information and resources about the CCPA visit http://www.CCPA-info.com. 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, 1798.105(a).

2. CCPA, Section 1798.105(d)(1).

3. CCPA, Section 1798.105(d)(1).

4. CCPA, Section 1798.105(d)(2).

5. CCPA, Section 1798.105(d)(3).

6. CCPA, Section 1798.105(d)(7).

7. CCPA, Section 1798.105(d)(9).

8. CCPA, Section 1798.105(d)(8).

[View source.]

Written by:

Bryan Cave Leighton Paisner
Contact
more
less

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.