Loyalty and reward programs an enforcement focus under the CCPA
As California Attorney General Rob Bonta continues to bring enforcement actions under the California Consumer Privacy Act (CCPA or Act), covered entities should take note of a marketing practice often overlooked under the CCPA – loyalty programs. On Data Privacy Day, Bonta announced an investigative sweep of a number of businesses operating loyalty programs in California. More specifically, the California Attorney General’s office issued notices alleging non-compliance with the CCPA’s notice requirements to businesses in the retail, home improvement, travel, and foodservice industries.
The Notice of Financial Incentive Requirement under the CCPA
The CCPA introduced the concept of considering whether loyalty programs offer a “financial incentive.” The regulations define a “financial incentive” as a program, benefit, or another offering, including payments to consumers, related to the collection, retention, or sale of personal information,” Regs. section 999.301(j). If a company offers such an incentive, it is important that the company provide appropriate notice of the material terms of the program. Specifically, businesses offering financial incentives in California are required to provide consumers with a formal Notice of Financial Incentive. Primarily, such notice “must be designed and presented in a way that is easy to read and understandable to consumers” and should be (i) written in plain, straightforward language; (ii) drafted in a conspicuous manner; (iii) made available to consumers before they are given the choice to opt in to the program; and (iv) reasonably accessible to consumers with disabilities. In addition, the notice must include:
- A succinct summary of the financial incentive or price or service difference offered.
- A description of the material terms of the financial incentive or price or service; difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data.
- How the consumer can opt in to the financial incentive or price or service difference.
- A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right.
- An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including:
- A good faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference.
- A description of the method the business used to calculate the value of the consumer’s data, which can be found on WestLaw.
Notably, if the financial incentive is offered online, the notice may be given by providing a link to the business’s privacy policy so long as it contains the information outlined above.
It is important for companies to ensure that they actually conduct an analysis of the value of the consumer’s data that forms the basis of the financial incentive. The terms need to explain the basis for determining that the incentive is reasonably related to whatever limitations on CCPA rights are required. This will help businesses avoid being deemed to be offering “discriminatory” financial incentives, which would be prohibited under the CCPA. The CCPA is clear that businesses shall not discriminate against consumers for exercising any of the rights, such as the right to opt out of the “sale” of their data. The financial incentive described above is an exception to the non-discrimination provision, but the incentive must be offered in accordance with the requirements of the CCPA (described above).
Loyalty programs under the CCPA
Loyalty programs have long been a staple in the marketers handbook, from the “sandwich card” at your local sandwich shop (e.g., “Buy nine sandwiches and get your tenth for free”) to airline frequent flyer programs. Simply put, these programs offer rewards, discounts, or other special incentives and are designed as a reward for a customer's repeat business. Such incentive programs are a great way for businesses to connect and engage with customers, while affording businesses the ability to customize offers, products, and communications to meet customers’ needs and do precisely what they were named for: to establish loyalty. While there was initial industry debate about whether loyalty programs were truly financial incentives (e.g., whether they involved the provision of an incentive in exchange for personal information), the California Attorney General’s office made its position clear in the last year and with this most recent notice of an enforcement sweep.
Enforcement sweep
On January 28, 2022, Bonta’s office issued letters to “a number of businesses” that offer “financial incentives, such as discounts, free items, or other rewards, in exchange for personal information....” The businesses have 30 days to cure and come into compliance with the CCPA. Attorney General Bonta explained, “In the digital age, it’s easy to forget that our data isn’t only collected when we go online. It's collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store.”
Takeaway
Bonta’s announcement serves as a warning to any business offering loyalty and reward programs to California consumers: do so with CCPA requirements in mind. In short, any company offering or considering offering a loyalty program in California should:
- Ensure their notifications meet the requirements delineated by the CCPA
- Verify that such programs have the ability to honor applicable consumer rights requests
- Confirm that their financial incentive falls within the exception to the non-discriminatory provision described above
In summary, with the majority of the California Privacy Rights Act (CPRA) provisions slated to become operative in 2023 and the California Attorney General’s office zeroing on CCPA violations, entities operating loyalty programs in California should review their disclosures related to such programs and ensure that they comply with the principles outlined above. Additionally, with both consumers and regulators increasing their scrutiny of any and all practices related to the collection and use of personal data, covered entities must be sure to continuously monitor and assess their data practices and procedures, and ensure that no compliance responsibilities are overlooked.
Client Alert 2022-023