On January 28th, National Data Privacy Day, California Attorney General Rob Bonta announced that his office had notified several businesses operating loyalty programs in California about alleged noncompliance with the California Consumer Privacy Act (CCPA).
The CCPA allows businesses to offer financial incentives in exchange for collecting, selling, or sharing personal information with the consumer’s consent. Businesses that offer a financial incentive program, like certain loyalty programs, must provide readily accessible notice that clearly describes the material terms of the program, how the consumer can opt in and opt out, and how the value of the incentive provided is reasonably related to the value of the consumer’s data to the business. Importantly, the financial incentive regulations apply to data collected online and offline, as made apparent by the Attorney General.
The warning letters were sent to major corporations in the retail, home improvement, travel, and food and services industries. The notices allege the businesses failed to provide a notice of financial incentive to customers that opt into their loyalty program as required by the CCPA. Under the CCPA, businesses that receive notice of a violation have 30 days to cure the violation; however, the right to a cure period will go away when the California Privacy Rights Act (CPRA) becomes effective January 1, 2023.
This enforcement activity regarding financial incentives indicates the importance the California Attorney General is placing on how businesses collect and use customer data in connection with such programs. Businesses offering loyalty programs or other incentives in connection with the collection or use of consumer data, even as simple as offering a discount in exchange for a consumer signing up to receive emails, should work with counsel to evaluate the programs and provide any necessary disclosures.
*Aaron Parry contributed to this post
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.