June 3, 2023

Volume XIII, Number 154


June 02, 2023

Subscribe to Latest Legal News and Analysis

June 01, 2023

Subscribe to Latest Legal News and Analysis

May 31, 2023

Subscribe to Latest Legal News and Analysis

Loyalty Programs in the California AG’s Crosshairs Once Again

With a nod to Data Privacy Day (January 28), California Attorney General Rob Bonta announced an enforcement sweep of loyalty programs operated by retail, home improvement, travel, and foodservice companies.  The California Consumer Privacy Act (CCPA) defines a “financial incentive” as “a program, benefit, or another offering, including payments to consumers, related to the collection, retention, or sale of personal information,” Regs. § 999.301(j) (emphasis added), and has transparency, choice, and fairness requirements for such a program to be offered to Californians.  The Office of the Attorney General of California (OAG) has taken a very broad approach to applying the CCPA’s financial incentive rules to loyalty programs, essentially treating a program as a financial incentive if it collects any personal information as part of its operation.

The CCPA’s financial incentive rules require that businesses must give consumers notice of the material terms of any financial incentive program.  The CCPA does not define “material term” but the OAG has given us some guidance as to what it believes are material terms for loyalty programs.  The notice must also include a summary of the financial or price or service difference offered; the value of the financial incentive; the categories of personal information implicated by financial incentive; how the consumer can subscribe (prior opt-in consent) and terminate (withdraw consent) participation; and an “explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data. . . .” Regs. § 999.307(b)(1)-(5).  There are various other CCPA requirements that businesses need to comply with in implementing their loyalty programs.  The data and benefit valuation methods and balancing requirement require strategic thought, including regarding trade secrets protection.

In the enforcement sweep, the OAG issued notice of noncompliance letters to “a number of businesses” that offer “financial incentives, such as discounts, free items, or other rewards, in exchange for personal information. . . .”  The businesses have 30 days to cure and come into compliance with the CCPA.  This isn’t the OAG’s first shot at targeting alleged privacy issues in loyalty programs.  On July 19, 2021, the OAG issued a press release summarizing its first-year CCPA enforcement, which we covered here.  Most of the 27 resolved exemplary cases dealt with notice deficiencies and inadequate disclosures, including loyalty programs.  The businesses in these exemplary cases included both brick and mortar and online-based businesses.

Also in the press release is a one-off statement from the OAG that may confuse some readers: “Businesses are required under CCPA to provide a notice of financial incentive if profiting from the collection of customers’ personal information.”  This is an overly broad statement.  A business can profit from the collection of personal information without offering a program that would qualify as a financial incentive under the CCPA.  Perhaps this was just an attempt at rephrasing Attorney General Bonta’s quote about businesses finding new ways to profit from consumer data.  Either way, loyalty programs are an enforcement priority and the OAG wants businesses to be transparent about their data practices.

Note the California Privacy Rights Act (“CPRA”), which amends the CCPA, adds an additional requirement for loyalty programs effective January 1, 2023: a business is prohibited from requesting a consumer provide opt-in consent for a loyalty program for at least 12 months after the consumer last declined to provide opt-in consent for that program.  The CPRA also defines “consent,” something the CCPA does not.  Businesses should take review their loyalty programs for CCPA compliance now, and begin preparing for the CPRA.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 31

About this Author

Kyle Dull Data Privacy & Cybersecurity Lawyer Squire Patton Boggs Miami Florida

A former assistant attorney general, Kyle has extensive experience investigating and litigating privacy and advertising law violations. He now draws on that experience to advise clients on their own data privacy, cybersecurity and advertising risks, and is regularly retained by corporations to defend and resolve enforcement actions.

Kyle has a solid understanding of domestic and international privacy laws and counsels digital media companies looking to protect their digital property and avoid potential legal issues by negotiating and drafting licensing, joint venture and data...

+1 305 577 2840
Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...