1. What qualifies as a “loyalty program” covered by the CPA?
The CPA only applies to businesses that either control or process the personal data of 100,000 Coloradan residents or more each year, or 25,000 Coloradan residents for businesses that also derive revenue or discounts from the sale of personal data.1
The CPA regulations define a “bona fide loyalty program” as a “loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing [benefits] to consumers that voluntarily participate in that program, such that the primary purpose of processing personal data through the program is solely to provide [benefits]” to the participants.2 The regulations further define “benefits” as “an offer of superior price, rate, level, quality, or selection of goods or services,” whether provided directly by the business or a business partner.3
2. What do the CPA regulations require for my loyalty program?
Notice
In addition to the information already required to be in your privacy policy by the CPA, if you have a qualifying loyalty program under the CPA regulations, your privacy policy must disclose:4
- Categories of personal or sensitive data collected through the loyalty program that will be sold or processed for targeted advertising, if any;
- Categories of third parties that will receive personal or sensitive data, including whether it will be provided to data brokers;
- A list of any loyalty program partners, and benefits provided by each partner;
- Whether a consumer’s deletion request will prevent participation in the loyalty program, with an explanation as to why; and
- Whether sensitive data is required for a loyalty program benefit, with an explanation as to why.
This notice must be provided at the time a consumer registers for the loyalty program, either directly or via a link to the information within a business’s privacy policy or terms and conditions.5 Loyalty program terms and conditions and any consent collected to process personal or sensitive data in connection with the loyalty program must also link to the business’s standard privacy notice.6
Data Subject Requests
The loyalty program regulations directly implicate the rights afforded to Coloradoans by the CPA. If a consumer requests your business to “delete” their personal data, you do not have to provide the loyalty program to that consumer if the deletion request makes administering the program impossible, but you do have to provide any loyalty program benefit for which personal data is not necessary.7 Similarly, if a consumer opts out of the use of their data for targeted advertising or sales, and the loyalty program is impossible to administer based on that opt-out, you do not have to provide it; but you do have to provide any loyalty program benefit for which personal data is not needed for targeted advertising or sales.8
If you sell personal data, or share or process it for targeted advertising, that is collected from the loyalty program, these activities are considered a “secondary use” under the CPA, which means you will have to obtain additional consent from program participants.9 Finally, if a consumer exercises any other data right and it interferes with their membership in the loyalty program, you must notify them of the impact at least 24 hours before discontinuing their participation along with providing a link to the required notice discussed above.10
Sensitive Data
The CPA regulations also directly address how businesses must handle sensitive data with respect to loyalty programs. Businesses cannot condition participation in the loyalty program on consent to process sensitive data unless it is required for all program benefits. If a consumer refuses to consent to sensitive data processing, you are not required to provide personalized loyalty program benefits; but you are still required to provide non-personalized benefits that can be provided without the sensitive data.11 Note that the regulations have expanded the definition of “sensitive data” to include “sensitive data inferences,” meaning that products and services you sell that can reveal health information, for example, about a consumer will trigger these requirements.12
3. What steps should be taken to make sure my loyalty program complies with the CPA?
Companies should take the following steps:
- Ensure either your privacy policy or terms of use meets the notice requirements. Since these documents are public facing, this is the loyalty program’s biggest risk in terms of compliance gaps.
- Assess how your loyalty program functions. Distinguish between personalized and non-personalized loyalty program benefits, and how your data processing practices factor into your loyalty program. Check whether loyalty program data is implicated by your targeted advertising practices.
- Review your data subject request process and establish the necessary channels of communication between your personnel responsible for data subject requests and administering the loyalty program.
- If your loyalty program touches sensitive data, conduct a data privacy impact assessment.
The CPA’s loyalty requirements make the state likely the most complex for loyalty programs. Care should be taken to properly comply with these new, complex rules.
- C.R.S. § 6-1-1304(1).
- 4 CCR 904-3, Rule 2.02.
- 4 CCR 904-3, Rule 2.02.
- 4 CCR 904-3, Rule 6.05(F)(1).
- 4 CCR 904-3, Rule 6.05(F)(1).
- 4 CCR 904-3, Rule 6.05(F)(2).
- 4 CCR 904-3, Rule 6.05(B).
- 4 CCR 904-3, Rule 6.05(C), (C)(1).
- 4 CCR 904-3, Rule 6.05(C)(2).
- 4 CCR 904-3, Rule 6.05(E).
- 4 CCR 904-3, 6.05(D).
- 4 CCR 904-3, Rule 2.02.
This article was originally published on ColoradoBiz.com.
