Keypoint: With the CCPA’s “right to cure” violations expiring at the end of the year, businesses should take note of the AG’s recent enforcement efforts and, to the extent necessary, provide the requisite notice of financial incentive if the business offers discounts, free items, loyalty programs, or other rewards, in exchange for personal information.

California Attorney General Rob Bonta marked Data Privacy Day (January 28) by announcing an “investigative sweep of a number of businesses operating loyalty programs in California” for allegedly failing to comply with the California Consumer Privacy Act’s (CCPA) notice of financial incentive requirement. Letters were sent on January 28 “to major corporations in retail, home improvement, travel, and food services industries.” As required under the CCPA, entities that received letters will have thirty days to cure the alleged violation.

The press release did not disclose the number of letters sent or provide details on the specific nature of the alleged violations other than stating this “sweep of notices . . . focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program.”

For businesses that offer loyalty programs or other financial incentives, below is a discussion on the CCPA’s notice of financial incentive requirement, including what the notices must contain and how businesses should relay the notices to California residents.

The CCPA’s financial incentive concept arises out of section 1798.125(b), which provides that a “business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.”

Providing Notice

A business that offers financial incentives is required to notify consumers of the financial incentive. In addition, prior to entering a consumer into a financial incentive program, businesses must provide a notice that “clearly describes the material terms of the financial incentive program” and obtain opt-in consent from the consumer. The business also must not use “financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.”

Section 999.307 of the CCPA regulations further defines what must be included in the financial incentive notice:

  1. A succinct summary of the financial incentive or price or service difference offered;
  2. A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data;
  3. How the consumer can opt-in to the financial incentive or price or service difference;
  4. A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and
  5. An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including:

a. A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and

b. A description of the method the business used to calculate the value of the consumer’s data.

As to the last requirement listed, per section 999.337 of the CCPA regulations, businesses offering financial incentives must “use and document a reasonable and good faith method for calculating the value of the consumer’s data.” The regulation identifies eight methods businesses may use individually or in combination.

The notice also must: (1) be easy to read and understandable to consumers; (2) use plain, straightforward language and avoid technical or legal jargon; (3) use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable; (4) be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California; (5) be reasonably accessible to consumers with disabilities; and (6) be readily available where consumers will encounter it before opting-in to the financial incentive or price or service difference.

If a business offers the financial incentive online, the notice can be given by providing a link to the section of the business’s privacy policy that contains the required information.

Loyalty Programs

During the rulemaking process, the Attorney General’s office made clear that loyalty programs are subject to these same requirements. For example, in comment 254 in Appendix A to the Final Statement of Reasons, the Attorney General stated:

[I]f a business does offer such a financial incentive or price or service difference (including by way of a “loyalty program,” which is not a defined term in the CCPA), it must be reasonably related to the value of the consumer’s data to the business. See Civ. Code § 1798.125. The comment has not provided evidence that loyalty programs’ benefits are in fact generally unrelated to the value of the consumer’s data. However, if that is the case, disclosure of the data’s value is all the more important. The purpose of the CCPA’s anti-discrimination provisions is to ensure that any financial incentives or price or service differences connected to the exercise of CCPA rights are reasonably related to the value of the consumer’s data. Finally, [the] Legislature considered but ultimately rejected a bill that would have exempted “loyalty programs” from certain requirements applicable to financial incentive programs. See AB 846 (2019-2020). That rejection indicates the Legislature’s intent that loyalty programs, however defined, should receive the same treatment as other financial incentives.

For the sake of completeness, it should be noted that the California Privacy Rights Act (CPRA) will add the following sentence to section 1798.125: “This subdivision does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs consistent with this title.”

In addition to issuing regulations, the office briefly addressed the issue when it published twenty-seven examples of enforcement actions in July 2021. One of the examples concerned a grocery chain that did not provide a notice of financial incentive:

A business that operates a chain of grocery stores required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to consumers participating in these loyalty programs. After being notified of alleged noncompliance, the company amended its privacy policy to include a Notice of Financial Incentive.

Finally, while businesses receiving the notices issued on January 28 will have thirty days to cure the alleged violation, that right to cure will no longer exist as of January 1, 2023, when the CPRA goes into effect.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Stauss David Stauss

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents…

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Photo of Malia Rogers Malia Rogers

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures…

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures as well as drafting breach response and action plans.

Photo of Shelby Dolen Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data…

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.