Key point: Whether your business runs a retail loyalty program, a restaurant rewards app, a software referral campaign, or an online sweepstakes, these programs often collect customer information, and that can trigger real privacy compliance obligations that are easy to overlook.

The Rules Vary by Program. Privacy Obligations Do Not.

Online promotional activities frequently involve the collection, use, and sharing of consumer personal information, and data privacy laws play an important role across all of them. Examples:

• A retailer runs a points-based loyalty program which collects purchase history and behavioral data.
• A company with a household brand name runs a sweepstakes and collects contact information for prize fulfillment.
• A manufacturer offers mail-in rebates and collects names, addresses, and receipts to provide the rebates.
• A mobile app runs a referral campaign and collects device identifiers and app usage data.
• A sports betting app runs an advertising campaign to attract participants and inadvertently collects personal information from middle school kids who like sports.

All these instances trigger compliance obligations—even if the activities feel informal or low-risk.

Federal Law Sets the Floor

The Federal Trade Commission (FTC) uses its authority under Section 5 of the FTC Act to bring enforcement actions against businesses that do not honor their privacy promises. If your promotional materials, FAQs, or sign-up flows describe how personal information will be used, that description is a legal commitment—not just marketing language. Deviating from that description makes you an enforcement target.

Further, the Children’s Online Privacy Protection Rule (COPPA) specifically regulates the online collection, use, and sharing of personal information from children under 13. A food brand running a kid-friendly sweepstakes and a gaming company running a rewards program both need to think carefully about whether COPPA applies and whether parental consent is required.

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) and the Telephone Consumer Protection Act (TCPA) govern how businesses communicate with consumers via email and text message. A retailer sending promotional emails to loyalty program members and a restaurant texting discount codes to rewards app users would both need to comply with rules around consent and message content and provide opt-out mechanisms. Failing to honor an opt-out request—or sending marketing texts without the required prior express written consent—can expose a business to significant per-message statutory penalties.

Disclosure Is Not Optional

Clear and conspicuous disclosures are required at every stage, including how the program or campaign is advertised, how data collection is described, and how people can enter or participate. If people can earn rewards points, discounts, or sweepstakes entries in exchange for leaving a review or social media post about your brand, that incentive must be clearly disclosed. A generic hashtag or buried fine print will not suffice.

State Laws Add Complexity

Nineteen states have already enacted their own data privacy laws, and promotions that involve the online collection of consumer personal information might be subject to these laws. These state laws vary significantly, meaning required disclosure language, opt‑out rights, and even program mechanics can differ, based on where your customers live.

Bottom Line

Businesses that collect the personal information of consumers for promotional purposes must review whether that data collection falls under the scope of federal and state privacy laws. If so, they must comply with all applicable federal laws, plus the laws of every state in which they plan to run their promotions. The rules are numerous, vary by state, and change frequently. Getting ahead of these issues during program design is far easier than fixing them after the fact.