Typically no.
Loyalty programs can be, and are, structured in a variety of different ways. Some programs track dollars spent by a consumer, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.
One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”1 While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program). As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.
In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request. Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:
|
Exception
|
Description of Exception
|
Applicability to Loyalty
|
|
Complete a Transaction
|
If personal information is maintained because it is necessary for a business to complete a transaction with the consumer, a business is not required to honor a deletion request.2
|
✓ Personal information is often needed by a company that offers a loyalty program in order to complete a transaction requested by a consumer in connection with the program. For example, if a consumer were to request to redeem loyalty points, a business may need to keep the consumer’s information in order to fulfill the request (e.g., to send earned products or services).
|
|
Provide a good or service
|
If personal information is maintained because it is necessary for a business to “provide a good or service requested by a consumer,” a business is not required to honor a deletion request.3
|
✓ Personal information is arguably needed in order to provide the service originally requested by the consumer – i.e., the operation of the loyalty program to which the consumer opted to become a member.
|
|
Detect wrongdoing.
|
If personal information is maintained because it is needed to detect security incidents, or “protect against malicious, deceptive, fraudulent, or illegal activity,” a business is not required to honor a deletion request.4
|
✓ Personal information is often needed by a loyalty program sponsor to protect against deceptive and fraudulent activity such as multiple accounts being created by a single consumer, or attempts to double count purchases or benefits.
|
|
Repair errors.
|
If personal information is maintained because it is necessary for a business to “identify and repair errors that impair existing intended functionality,” a business is not required to honor a deletion request.5
|
✓ Personal information is often needed by a loyalty program sponsor to identify any errors in its process for collecting, maintaining, or tracking accumulated points or value.
|
|
Internal uses aligned with consumer expectations.
|
If personal information is maintained because it is necessary for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business,” a business is not required to honor a deletion request.6
|
✓ Personal information is often needed by a loyalty program sponsor for numerous uses that are aligned with the expectation of the consumer at the time that they supplied information to the business. These typically include the operation of the rewards program, internal accounting relating to members’ accrued points, internal accounting relating to members’ requested benefits, auditing, and improving the operation of the overall program.
|
|
Internal uses aligned with the context of collection.
|
If personal information is maintained “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” a business is not required to honor a deletion request.7
|
✓ Personal information is often used by a loyalty program in a manner that is compatible with the context in which the consumer provided the information. Such contexts are often disclosed in a loyalty program’s privacy notice and include the operation of the rewards program, internal accounting, auditing, and improving the operation of the overall program.
|
|
Comply with legal obligations.
|
If personal information maintained by a business is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.8
|
✓ Personal information is often maintained in order to comply with tax, escheatment, and corporate accountability laws.
|
The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, 1798.105(a).
2. CCPA, Section 1798.105(d)(1).
3. CCPA, Section 1798.105(d)(1).
4. CCPA, Section 1798.105(d)(2).
5. CCPA, Section 1798.105(d)(3).
6. CCPA, Section 1798.105(d)(7).
7. CCPA, Section 1798.105(d)(9).
8. CCPA, Section 1798.105(d)(8).
[View source.]
