Last month, California Attorney General Rob Bonta released a summary of his office’s enforcement activity under the California Consumer Privacy Act (CCPA). Although the summary did not include company names, the summary highlights those CCPA compliance areas which have already drawn attention and which will likely continue to be a focus for enforcement. One action that was summarized involved a business that failed to provide a Notice of Financial Incentive to consumers for participation in the business’ loyalty programs. Companies must be mindful that if they are requiring consumers to provide personal information in exchange for any type of monetary compensation or other financial benefit, then the CCPA may impose additional disclosure obligations in the form of a Notice of Financial Incentive.

Under the CCPA regulations, a “financial incentive” is defined broadly to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.” Cal. Code Regs. tit. 11, § 999.301(j). For example, if a financial institution engages in a marketing campaign that involves any kind of compensation to consumers in exchange for personal information, this activity would likely be considered a financial incentive program under the CCPA and would likely trigger the CCPA Notice of Financial Incentive requirements. Such financial incentive programs may include encouraging consumers to provide personal information by taking a survey, entering into a sweepstakes, or referring a friend to apply for a new loan in exchange for a gift card, account credit, loyalty rewards, or any other form of compensation.

Financial institutions generally are not required to comply with many of the CCPA requirements because of the exemption for “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act” (GLBA). However, personal information collected by a financial institution for marketing purposes or used as part of a financial incentive program may potentially fall outside the scope of the GLBA exemption and, if so, financial institutions would need to comply with the CCPA requirements. If compliance is required, a financial institution must comply with not only the financial incentive disclosure requirements, but also all other CCPA requirements regarding consumer privacy rights related to such activities. Such requirements include responding to “requests to know” and “requests to delete” with respect to personal information collected through a financial incentive program.

A Notice of Financial Incentive must include the following:

1. A succinct summary of the financial incentive or price or service difference offered;
2. A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data;
3. How the consumer can opt-in to the financial incentive or price or service difference;
4. A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and
5. An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including (a) a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and (b) a description of the method the business used to calculate the value of the consumer’s data. Cal. Code Regs. tit. 11, § 999.307.

One of the more challenging aspects of the Notice of Financial Incentive requirements is the need to explain how the value of the financial incentive relates to the value of the personal information to the company. The CCPA regulations provide some guidance on how companies can document a reasonable and good faith method for calculating the value of the consumer’s data in order to offer a different price, rate, level, or quality of goods or services that is directly related to the value provided by the consumer’s information. Cal Civ Code § 1798.125(b)(1); Cal. Code Regs. tit. 11, § 999.337. However, in practice, few companies are assigning specific values or tracking profit generated from particular pieces of personal information, which makes compliance in this area especially challenging.

The news release regarding Attorney General Bonta’s announcement is available here and the summary of CCPA enforcement case examples is available here.