May 30, 2023

Colorado’s “Loyalty Program” regulations are final, and they blow California’s rules out of the water

Christian Auty, Amy de La Lama, Martha Kohlstrand, Goli Mahdavi

BCLP

+ Follow Contact

Send

Embed

On March 15, 2023, the Colorado Attorney General’s Office announced the finalization of the Regulations^[1] implementing the Colorado Privacy Act (CPA)^[2], which will take effect on July 1, 2023. Covered businesses that make use of customer loyalty programs should ensure that those programs, termed “Loyalty Programs” under the Rules, comply with the CPA. Many of these requirements are unique to the CPA and are not addressed in other new state privacy laws, so businesses will want to take a fresh look at how their programs are administered and confirm that their programs meet both the requirements of the CPA as well as the existing requirements of the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Under the Regulations, a “Loyalty Program” is a “loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose” of providing “an offer of superior price, rate, level, quality, or selection of goods or services” to a consumer, either directly from the business or via a partner, whose “primary purpose in processing personal information is to provide the program’s benefits to a participating consumer.”^[3] Businesses must provide specific disclosures regarding Loyalty Programs at the point of program registration, either directly or in the form of a link to the specific section of the privacy notice or terms and conditions that contain the disclosures.^[4] Moreover, Loyalty Program terms and requests for consent to process Sensitive Data or Personal Data (where required) in connection with the Loyalty Program must include a link to the business’s Privacy Notice.^[5] These disclosures are in addition to those required in the business’s Privacy Notice.

Loyalty Program Disclosure Requirements

Unlike California, which requires initial opt-in consent from the consumer prior to participating in a loyalty program^[6], Colorado Loyalty Programs do not require any additional consent beyond what is otherwise required by the CPA (e.g., consent to process sensitive data), although the consumer’s participation in the Loyalty Program must be “voluntary.”^[7] However, the required disclosures are comprehensive and must cover:

The categories of Personal Data or Sensitive Data collected through the Loyalty Program that will be sold or processed for targeted advertising, if any;
The categories of third parties that will receive the consumer’s Personal Data and Sensitive Data, including whether the Personal Data will be provided to data brokers;
A list of any Loyalty Program Partners, and the Loyalty Program Benefits provided by each Loyalty Program Partner;
If the business claims that a consumer’s decision to delete Personal Data makes it impossible to provide a Loyalty Program Benefit, then the business shall provide an explanation of why the deletion of Personal Data makes it impossible to provide a Loyalty Program Benefit;
If the business claims that a Consumer’s Sensitive Data is required for a Loyalty Program Benefit, then the business shall provide an explanation of why the Sensitive Data is required for a Loyalty Program Benefit.^[8]

In addition, beyond these initial disclosure obligations, if a consumer’s decision to exercise a data right affects the consumer’s membership in a Loyalty Program, the business must notify the consumer of the impact of the decision at least 24 hours before discontinuing the consumer’s Loyalty Program Benefit or membership, and must provide a reference or link to the loyalty program disclosures.^[9]

For organizations subject to both the CPA and the CPRA, Loyalty Program (or Financial Incentive program) disclosures would also need to also cover the mandatory content requirements set out by the CPRA to meet the requirements of both state laws. As a reminder, under California rules, the following information must be provided to consumers:

A succinct summary of the financial incentive or price or service difference offered;
A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data;
How the consumer can opt-in to the financial incentive or price or service difference;
A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and
An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including:
- A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and
- A description of the method(s) the business used to calculate the value of the consumer’s data.

There is not significant overlap in the content requirements set out by Colorado and California, so organizations subject to both laws will need to make sure they review and address both sets of requirements, rather than assuming that the disclosures for one state will be sufficient for the other.

Sensitive Data

In addition to establishing mandatory disclosure obligations, the Regulations prohibit a business from conditioning a consumer’s participation in a Loyalty Program on the consumer’s consent to process Sensitive Data, unless the Sensitive Data is required for all Loyalty Program Benefits. For instance, a hypothetical grocery store’s Loyalty Program includes both personalized and non-personalized benefits. The grocery store asks the consumer for consent to collect Sensitive Data in order to provide the personalized benefits. If the consumer refuses consent, the grocery store should notify the consumer that it will not provide the personalized benefits but will provide the non-personalized benefits moving forward.^[10]

Managing Deletion & Opt-Out Requests

If a consumer opts-out of the sale of Personal Data or the processing of Personal Data for targeted advertising, the business is no longer obligated to provide a Loyalty Program benefit to the consumer that is contingent upon the sale of such Personal Data. However, if the Loyalty Program provides benefits that are unrelated to the sale of Personal Data or the processing of Personal Data for targeted advertising, the business must continue to provide those benefits to the consumer.

For example, assume a hypothetical hotel chain’s Loyalty Program provides points that can be used to obtain discounts for the hotel chain as well as at a popular restaurant chain that is not affiliated with the hotel chain. The restaurant chain requires the hotel chain to provide the Personal Data of each consumer who wants to use the hotel chain’s points to receive the restaurant discount. If the consumer opts out of the sale of Personal Data and the processing of Personal Data for targeted advertising, the hotel chain will not be able to provide the required information to the restaurant chain, and therefore is permitted to discontinue that benefit. However, the hotel chain must still provide all available Loyalty Program Benefits to be used at the hotel chain because this benefit is not contingent upon the sale of the underlying Personal Data.^[11]

Secondary Uses of Loyalty Program Data

Additionally, the Regulations limit secondary uses of Loyalty Program data. First, if the sale of Personal Data or the processing of Personal Data for targeted advertising is unrelated to the sharing of information with a Loyalty Program partner, it requires consent. To illustrate, a consumer joins a retailer’s Bona Fide Loyalty Program, which offers discounts on products based on the consumer’s purchase history. The retailer wants to fund the loyalty program, in part, by selling the consumer’s purchase history (which would be considered Personal Data) to a data broker. The retailer is required to obtain the consumer’s consent to sell their Personal Data to the data broker because selling the Personal Data to a data broker is a secondary use of the Personal Data and is not required in order to administer the Loyalty Program.^[12]

The nuances of this limitation are further explored in the Regulations’ final example of a consumer who exercises the right to opt-out of the processing of Personal Data by an online gaming company for targeted advertising. The online gaming company would like to offer the consumer fewer free games and argues that the additional free games are only for members of its Loyalty Program, which requires the processing of Personal Data for targeted advertising. This differential treatment is prohibited if the processing of Personal Data for targeted advertising is not required to provide the additional games. The differential treatment may be permissible, however, if the free games are provided by a Loyalty Program Partner that requires the processing of Personal Data for targeted advertising through a co-marketing agreement with the online gaming company.^[13]

The Regulations do not explain why the sale of Personal Data or the processing of Personal Data for targeted advertising in the context of Loyalty Programs constitutes a secondary use and triggers an opt-in consent requirements, when opt-out is required in other contexts for these activities. Nevertheless, opt-in consent is required in these circumstances and may mean that organizations have to implement different consent features across websites and mobile apps to account for these obligations.

What Can Companies do to Prepare?

The Colorado Regulations are deceptively complex and may impose significant implementation obligations on organizations offering Loyalty Programs to consumers — especially retailers, supermarkets, and those in the hospitality industry. Whereas California’s financial incentive program disclosure requirements also impose detailed disclosure obligations on organizations that can be difficult to meet, particularly with regard to determinations regarding the value of the Personal Data collected, Colorado’s rules will require significantly more on the implementation front. Specifically, organizations will need to carefully parse out what data is collected for use in the Loyalty Program, whether all uses and disclosures are necessary for the administration of the Loyalty Program (including the use of cookies and/or similar digital technologies) and/or particular benefit, and what contractual obligations apply with regard to information gathered and disclosed. Companies will then need to walk through the obligations described above to understand whether there are circumstances where Loyalty Program participants may need to be treated differently from other consumers depending upon how they exercise their right to opt-in or opt-out. In such cases, privacy and marketing teams will need to work closely with their technical teams to make sure there are solutions in place to honor such choices and differentiate consumers. This is not an easy task, but as with so many of these new privacy obligations, the most important step is to get started to make sure there is enough runway to identify hurdles and implement solutions.

^[1] 4 CCR 904-3.

^[2] CRS 6-1-1301 et seq.

^[3] 4 CCR 904-3 Rule 2.02.

^[4] 4 CCR 904-3 Rule 6.05(F)(1).

^[5] 4 CCR 904-3 Rule 6.05(F)(2).

^[6] California Privacy Rights Act Regulations § 7016.

^[7] CRS 6-1-1308(d); 4 CCR 904-3 Rule 6.05(A).

^[8] 4 CCR 904-3 Rule 6.05(F)(1)(e).

^[9] 4 CCR 904-3 Rule 6.05(E).

^[10] 4 CCR 904-3 Rule 6.05(G).

^[11] 4 CCR 904-3 Rule 6.05(H).

^[12] 4 CCR 904-3 Rule 6.05(I).

^[13] CCR 904-3 Rule 6.05(J).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.