California Attorney General Eyes Loyalty Programs for CCPA Violations

On Data Privacy Day (January 28), California Attorney General Rob Bonta issued a statement on a recent “investigative sweep” conducted by the California Office of the Attorney General concerning businesses operating loyalty programs and their compliance with the financial incentive requirements of the California Consumer Privacy Act of 2018 (the “CCPA”). Based on the findings of the investigation, the Attorney General sent notices of noncompliance to businesses that are allegedly failing to provide notices of financial incentive programs to customers that opt into their loyalty programs, as required by the CCPA.

The Attorney General sent these notices to a variety of businesses, including retailers, home improvement businesses, travel and food service industry members, as well as data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers. Businesses that received notices of noncompliance have 30 days from the date of the notice to cure any alleged violation or the Attorney General can initiate enforcement actions. Notably, starting January 1, 2023, once the California Privacy Rights Act of 2020 (the “CPRA”) takes effect, this 30-day cure period will be eliminated and the recently established California Consumer Protection Agency will have the discretionary power of whether to provide a business with time to cure an alleged violation or not.

Under the CCPA, businesses doing business in California that offer a “financial incentive,” which is defined as “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information” and may include discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice explaining each financial incentive. The purpose of the notice of financial incentive is to explain to the consumer the material terms of a financial incentive so that the consumer may make an informed decision about whether to participate. In addition to the notice, the CCPA requires a business to receive a consumer’s prior opt-in consent in order to enter the consumer into a financial incentive and this consent may be revoked by the consumer at any time.

A business must provide the notice of financial incentive prior to entering a consumer into the financial incentive program and such notice must:

  1. summarize the financial incentive;
  2. describe the material terms of the financial incentive program, including the categories of personal information collected and the value of the consumer’s personal information to the business;
  3. provide instructions on how consumers can opt-in to the financial incentive and how consumers can opt-out or withdraw from the financial incentive; and
  4. explain how the financial incentive is reasonably related to the value of the consumer’s personal information to the business, including a good-faith estimate of the value of the consumer’s data and a description of the method the business used to calculate the value of the consumer’s data.

The statement from the California Office of the Attorney General made clear that the financial incentive requirements of the CCPA apply to personal information collected online, as well as, in-person. Further, the Attorney General warned “I urge all businesses in California to take note and be transparent about how you’re using your customer’s data. My office continues to fight to protect consumer privacy, and we will enforce the law.” If you need assistance with your CCPA compliance efforts or want more information on compliance with the CCPA or its financial incentive requirements, please contact one of our Cybersecurity & Data Privacy attorneys.