Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
February 3rd, 2022
Does Your Loyalty Program Violate the CCPA?
While many of us were celebrating Data Privacy Day last week, California Attorney General Rob Bonta tweeted and released a statement that his office has sent warning letters to businesses in a variety of industries for alleged failure to comply with CCPA. Although the tweet and statement do not name the letter recipients or provide details of the alleged offenses, they offer important insight into the AG’s position on financial incentives and CCPA enforcement priorities. Here's what marketers need to know:
Who received letters from the AG?
According to the statement, the AG’s Office conducted an “investigative sweep of a number of businesses operating loyalty programs in California[,]” including in the retail, home improvement, travel, and food services industries. The AG sent warning letters to those businesses operating loyalty programs that appeared non-compliant with the financial incentive obligations under CCPA. The letter recipients have 30 days to fix the alleged violations before the AG can bring formal enforcement action.
What is the financial incentive obligation under CCPA?
The financial incentive obligation has been one of the more confusing and controversial aspects of CCPA. In sum, a business that offers a financial incentive must: (1) provide notice to consumers of the material terms of the financial incentive; and (2) obtain opt-in consent from consumers to the financial incentive, which can be revoked at any time. The CCPA and accompanying Regs set out highly specific requirements regarding the notice and opt-in.
Is a loyalty program a financial incentive?
The term “financial incentive” is not well defined under CCPA, and efforts failed during the CCPA amendment process to clarify the term. The CCPA Regs later defined the term to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.” While the Regs mention loyalty programs in the context of potential discriminatory practices, the Regs do not expressly state that a loyalty program is always a financial incentive. (We note that the AG indicated in 2020 in its response to comments submitted for the CCPA Regs that it believed loyalty programs should receive the same treatment as other financial incentives.) And the FAQ published by the AG doesn’t give much guidance on the topic. As a result, privacy experts have argued for years over which practices should be considered a financial incentive, and the debate has essentially resulted in a “you’ll know it when you see it” mentality.
What are some of the business concerns around classifying a loyalty program as a financial incentive?
Under CCPA, a business may only offer a financial incentive if it is reasonably related to the value of the consumer’s data. As part of the notice requirement mentioned above, the CCPA Regs require a business to provide a good-faith estimate of the value of the consumer’s data to the business, as well as a description of the method the business used to calculate the value of the data. Many businesses have resisted classifying their loyalty programs as financial incentives on the basis that how they value their consumer data is a trade secret which they don’t want to publicly disclose.
What is the impact of these letters?
These letters make clear that businesses can no longer avoid the financial incentive obligation with respect to loyalty programs. Per the statement, the AG has taken action against businesses for “failing to provide a notice of financial incentive to customers that opt into their loyalty program as required by the CCPA.” Also, the statement indicates that the AG’s interpretation of financial incentives goes beyond loyalty programs to include “discounts, free items, or other rewards” in exchange for personal information. Businesses need to carefully evaluate their practices in the context of the financial incentive obligation.
What about offline loyalty programs?
The financial incentive obligation covers both online and offline data collection, and the AG is looking at both types of practices. As part of the statement, the AG issued the following quote:
“In the digital age, it’s easy to forget that our data isn’t only collected when we go online. It's collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store [.] We may not always realize it, but these brick and mortar stores are collecting our data – and they’re finding new ways to profit from it. On Data Privacy Day, we’re issuing notices to business[es] that operate loyalty programs and use personal information in violation of California's data privacy law. I urge all businesses in California to take note and be transparent about how you're using your customer's data. My office continues to fight to protect consumer privacy, and we will enforce the law.”
Why did it take two years for the AG to issue its first warnings?
This actually is not the first time the AG has issued warnings to businesses for failure to comply with the financial incentive obligation under CCPA. Last year, the AG posted enforcement case examples, one of which related to loyalty programs. In the relevant example, the AG found a grocery chain retailer “did not provide a Notice of Financial Incentive to consumers participating in these loyalty programs.” According to the post, the retailer amended its privacy policy to include the notice. In addition to this public enforcement case example, the AG has issued warnings to other businesses, which have not been made publicly available.
Can we rely on the 30 day window to cure?
The main reason we haven’t seen public enforcement actions resulting in penalties is that the CCPA gives businesses a 30 day window to cure their noncompliance. However, CPRA, which replaces CCPA on January 1, 2023, removes this 30 day window to cure. Further, the AG has indicated that some offenses are non-curable. Businesses should not rely on this 30 day window to cure, and we expect to see public enforcement actions resulting in penalties in the near future.
What’s next?
The CPRA makes some slight changes to the obligations around financial incentives, but we anticipate California’s new privacy regulatory agency, the CPPA, will issue updated Regs around financial incentives (the Regs are due by July 1, 2022). We will keep track of updates around financial incentives and report back as we learn more.
Further Reading
This marks the second year in a row where the AG has used Data Privacy Day to announce an update to CCPA enforcement (last year the AG issued a tweet related to Global Privacy Control (GPC), which faced criticism from ad tech stakeholders).
Frankfurt Kurnit partner Daniel M. Goldberg was quoted on this matter in MediaPost. Read his quotes and the article here.
Questions? If you have questions about CCPA compliance, or about any other privacy and data security matters, contact Frankfurt Kurnit Privacy & Data Security Group Chair Daniel M. Goldberg at (310) 579-9616 or dgoldberg@fkks.com, Privacy & Data Security Associate Maria Nava at (310) 579-9628 or mnava@fkks.com or any other member of the firm’s Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023