- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
February 3rd, 2022
Does Your Loyalty Program Violate the CCPA?
While many of us were celebrating Data Privacy Day last week, California Attorney General Rob Bonta tweeted and released a statement that his office has sent warning letters to businesses in a variety of industries for alleged failure to comply with CCPA. Although the tweet and statement do not name the letter recipients or provide details of the alleged offenses, they offer important insight into the AG’s position on financial incentives and CCPA enforcement priorities. Here's what marketers need to know:
Who received letters from the AG?
According to the statement, the AG’s Office conducted an “investigative sweep of a number of businesses operating loyalty programs in California[,]” including in the retail, home improvement, travel, and food services industries. The AG sent warning letters to those businesses operating loyalty programs that appeared non-compliant with the financial incentive obligations under CCPA. The letter recipients have 30 days to fix the alleged violations before the AG can bring formal enforcement action.
What is the financial incentive obligation under CCPA?
The financial incentive obligation has been one of the more confusing and controversial aspects of CCPA. In sum, a business that offers a financial incentive must: (1) provide notice to consumers of the material terms of the financial incentive; and (2) obtain opt-in consent from consumers to the financial incentive, which can be revoked at any time. The CCPA and accompanying Regs set out highly specific requirements regarding the notice and opt-in.
Is a loyalty program a financial incentive?
The term “financial incentive” is not well defined under CCPA, and efforts failed during the CCPA amendment process to clarify the term. The CCPA Regs later defined the term to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.” While the Regs mention loyalty programs in the context of potential discriminatory practices, the Regs do not expressly state that a loyalty program is always a financial incentive. (We note that the AG indicated in 2020 in its response to comments submitted for the CCPA Regs that it believed loyalty programs should receive the same treatment as other financial incentives.) And the FAQ published by the AG doesn’t give much guidance on the topic. As a result, privacy experts have argued for years over which practices should be considered a financial incentive, and the debate has essentially resulted in a “you’ll know it when you see it” mentality.
What are some of the business concerns around classifying a loyalty program as a financial incentive?
Under CCPA, a business may only offer a financial incentive if it is reasonably related to the value of the consumer’s data. As part of the notice requirement mentioned above, the CCPA Regs require a business to provide a good-faith estimate of the value of the consumer’s data to the business, as well as a description of the method the business used to calculate the value of the data. Many businesses have resisted classifying their loyalty programs as financial incentives on the basis that how they value their consumer data is a trade secret which they don’t want to publicly disclose.
What is the impact of these letters?
These letters make clear that businesses can no longer avoid the financial incentive obligation with respect to loyalty programs. Per the statement, the AG has taken action against businesses for “failing to provide a notice of financial incentive to customers that opt into their loyalty program as required by the CCPA.” Also, the statement indicates that the AG’s interpretation of financial incentives goes beyond loyalty programs to include “discounts, free items, or other rewards” in exchange for personal information. Businesses need to carefully evaluate their practices in the context of the financial incentive obligation.
What about offline loyalty programs?
The financial incentive obligation covers both online and offline data collection, and the AG is looking at both types of practices. As part of the statement, the AG issued the following quote:
“In the digital age, it’s easy to forget that our data isn’t only collected when we go online. It's collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store [.] We may not always realize it, but these brick and mortar stores are collecting our data – and they’re finding new ways to profit from it. On Data Privacy Day, we’re issuing notices to business[es] that operate loyalty programs and use personal information in violation of California's data privacy law. I urge all businesses in California to take note and be transparent about how you're using your customer's data. My office continues to fight to protect consumer privacy, and we will enforce the law.”
Why did it take two years for the AG to issue its first warnings?
Can we rely on the 30 day window to cure?
The main reason we haven’t seen public enforcement actions resulting in penalties is that the CCPA gives businesses a 30 day window to cure their noncompliance. However, CPRA, which replaces CCPA on January 1, 2023, removes this 30 day window to cure. Further, the AG has indicated that some offenses are non-curable. Businesses should not rely on this 30 day window to cure, and we expect to see public enforcement actions resulting in penalties in the near future.
The CPRA makes some slight changes to the obligations around financial incentives, but we anticipate California’s new privacy regulatory agency, the CPPA, will issue updated Regs around financial incentives (the Regs are due by July 1, 2022). We will keep track of updates around financial incentives and report back as we learn more.
This marks the second year in a row where the AG has used Data Privacy Day to announce an update to CCPA enforcement (last year the AG issued a tweet related to Global Privacy Control (GPC), which faced criticism from ad tech stakeholders).
Frankfurt Kurnit partner Daniel M. Goldberg was quoted on this matter in MediaPost. Read his quotes and the article here.
Questions? If you have questions about CCPA compliance, or about any other privacy and data security matters, contact Frankfurt Kurnit Privacy & Data Security Group Chair Daniel M. Goldberg at (310) 579-9616 or firstname.lastname@example.org, Privacy & Data Security Associate Maria Nava at (310) 579-9628 or email@example.com or any other member of the firm’s Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Privacy News for Q2 2022
A summary of privacy news and trends we have seen in the first half of 2022. Read more.
June 2 2022
iOS 15 Brings New Privacy Controls That Will Impact Advertising Initiatives
After months in beta, Apple is releasing iOS 15 to the public. Building upon the Privacy Nutrition Labels and App Tracking Transparency (ATT) framework introduced in iOS 14.5, iOS 15 introduces new privacy controls that will impact brand marketing initiatives and the ad tech ecosystem. Although these controls are not an iOS 14.5-caliber seismic event, they are yet another example of how platform providers have become de facto regulators of privacy. Read more.
September 20 2021
New York City Restricts Collection of Biometric Identifiers
Major US municipalities are lining up to regulate business use of technologies to collect biometric identifiers and information. For example, Portland, Oregon, banned the use of face recognition technologies earlier this year. Now, New York City businesses must comply with a new law too: Effective July 9, 2021, any commercial establishment in New York City that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity using clear and conspicuous signage near all customer entrances. Read more.
July 7 2021