Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program” as a practical matter, most, if not all, loyalty programs share two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.1
Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:
Applicability to Loyalty Program
Notice at Collection
A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.2
A loyalty program that collects personal information of its members should make a privacy notice available to its members.3
Notice of Financial Incentive
To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA, a business should provide a “notice of financial incentive.”4
Access to Information
A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.5
Deletion of information
A company may generally deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.
Opt-out of sale
A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner), it would not be considered a “sale” of information.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. FSOR Appendix A at 273 (Response No. 814) (including recognition from the Attorney General that “loyalty programs” are not defined under the CCPA, and declining invitations to provide a definition through regulation).
2. Cal. Civil Code 1798.100(b); Cal. Reg. 999.304(b), 305(a)(1).
3. Cal. Civil Code 1798.100(b).
4. Cal. Reg. 999.301(n); 304(d); 307(a), (b).
5. Cal. Civil Code 1798.100(a).