Advertising

Customer loyalty program concept in e-commerce for customer engagement. Man holding phone displaying earning points after purchasing online.

Key point: Whether your business runs a retail loyalty program, a restaurant rewards app, a software referral campaign, or an online sweepstakes, these programs often collect customer information, and that can trigger real privacy compliance obligations that are easy to overlook.

The Rules Vary by Program. Privacy Obligations Do Not.

Online promotional activities frequently involve the collection, use, and sharing of consumer personal information, and data privacy laws play an important role across all of them. Examples:

  • A retailer runs a points-based loyalty program which collects purchase history and behavioral data.
  • A company with a household brand name runs a sweepstakes and collects contact information for prize fulfillment.
  • A manufacturer offers mail-in rebates and collects names, addresses, and receipts to provide the rebates.
  • A mobile app runs a referral campaign and collects device identifiers and app usage data.
  • A sports betting app runs an advertising campaign to attract participants and inadvertently collects personal information from middle school kids who like sports.

All these instances trigger compliance obligations—even if the activities feel informal or low-risk.

employee-scaled.jpeg

With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.