The California attorney general (AG) celebrated data privacy day by doing an “investigative sweep” of the loyalty programs of retailers, supermarkets, home improvement stores, travel companies, and food service companies, and sending out notices of non-compliance to businesses that the AG’s office believes might not be fully compliant with the CCPA. As the AG focuses its attention on loyalty programs, the following provides a reminder of the requirements under the CCPA.
What is a loyalty program?
Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers; others track products purchased. Some programs are free to participate in; others require consumers to purchase membership. Some programs offer consumers additional products; other programs offer prizes, money, or products from third parties. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program,” as a practical matter most, if not all, loyalty programs have two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.[1]
What are the general obligations under the CCPA?
Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:
Right | Applicability to Loyalty Program |
Notice at collection | A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.[2] |
Privacy notice | A loyalty program that collects personal information of its members should make a privacy notice available to its members.[3] |
Access to information | A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.[5] |
Deletion of information | A member of a loyalty program may request that a business delete the personal information collected about them. That said, a company may be able to deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten. |
Opt-out of sale | A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information. |
Notice of financial incentive | To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA (discussed below), a business should provide a “notice of financial incentive.”[4] |
Are loyalty programs always financial incentive programs?
Whether a loyalty program constitutes a “financial incentive” program as that term is defined by the regulations implementing the CCPA depends on the extent to which the loyalty program’s benefits “relate to” the collection, retention, or sale of personal information.”[6] While the California Attorney General has implied that all loyalty programs “however defined, should receive the same treatment as other financial incentives,” a strong argument may exist that for many loyalty programs the benefits provided are directly related to consumer purchasing patterns (i.e., repeat or volume purchases) and are not “related” to the collection of personal information.[7] If a particular loyalty program qualifies as a financial incentive program, a business should consider the following steps (in addition to the compliance obligations identified above):
-
Notify the consumer of the financial incentive.[8] The regulations implementing the CCPA specify that the financial incentive notice should contain the following information:
-
-
A summary of the financial incentive offered.[11] In the context of a loyalty program a description of the benefits that the consumer will receive as part of the program would likely provide a sufficient summary of the financial incentive.
-
-
-
A description of the material terms of the financial incentive. [12] The regulation specifies that the description should include the categories of personal information that are implicated by the financial incentive program and the “value of the consumer’s data.”[13]
-
-
-
How the consumer can opt-in to the financial incentive.[14] Information about how a consumer can opt-in (or join) a financial incentive program is typically conveyed when a consumer reviews an application to join or sign-up with the program.
-
-
-
How the consumer can opt-out, or withdraw, from the program. [15] This is an explanation as to how the consumer can invoke their right to withdraw from the program.[16]
-
-
-
An explanation of how the financial incentive is “reasonably related” to the value of the consumer’s data.[17] While the regulations state that a notice of financial incentive should provide an explanation as to how the financial incentive “reasonably relates” to the value of the consumer’s data, the CCPA requires only that a reasonable relationship exists if a business intends to discriminate against a consumer “because the consumer exercised any of the consumer’s rights” under the Act.[18] Where a business does not intend to use its loyalty program to discriminate against consumers that exercise CCPA-conferred privacy rights, it’s not clear whether this requirement applies. In the event that a reasonable relationship must be shown, however, the regulations require that a company provide a “good-faith estimate of the value of the consumer’s data that forms the basis” for the financial incentive and that the business provide a “description of the method” used to calculate that value.[19]
-
-
Obtain the consumer’s “opt in consent” to the “material terms” of the financial incentive,[9] and
-
Permit the consumer to revoke their consent “at any time.”[10]
[1] FSOR Appendix A at 273 (Response 814) (including recognition from the AG that “loyalty programs” are not defined under the CCPA, and declining invitations to provide a definition through regulation).
[2] Cal. Civ. Code § 1798.100(a) (West 2021); Cal. Code Regs. tit. 11, 999.304(b), 305(a)(1) (2021).
[3] Cal. Code Regs. tit. 11, 999.304(a) (2021).
[5] Cal. Civ. Code § 1798.100(a).
[4] CAL. CODE REGS. tit. 11, 999.301(n); 304(d); 307(a), (b).
[6] CAL. CODE REGS. tit. 11, 999.301(j) (2021).
[7] FSOR Appendix A at 75 (Response 254).
[8] Cal. Civ. Code § 1798.125(b)(2) (West 2021).
[11] CAL. CODE REGS. tit. 11, 999.307(b)(1) (2021).
[12] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).
[13] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).
[14] CAL. CODE REGS. tit. 11, 999.307(b)(3) (2021).
[15] CAL. CODE REGS. tit. 11, 999.307(b)(4) (2021).
[16] Cal. Civ. Code § 1798.125(b)(3) (West 2021).
[17] CAL. CODE REGS. tit. 11, 999.307(b)(5) (2021).
[18] Cal. Civ. Code § 1798.125(a)(1), (2) (West 2021).
[19] CAL. CODE REGS. tit. 11, 999.307(b)(5)(a), (b) (2021).
[9] Cal. Civ. Code § 1798.125(b)(3) (West 2021).
[10] Cal. Civ. Code § 1798.125(b)(3) (West 2021).