Loyalty Program Enforcement Under the California Consumer Privacy Act (CCPA)
Loyalty Program Enforcement Under the California Consumer Privacy Act (CCPA)

Earlier this year, the California Attorney General Rob Bonta announced an enforcement sweep of loyalty programs operated by retailers, supermarkets, home improvement stores, travel companies, and food service companies. The Office of the Attorney General has issued notice of noncompliance letters to a number of businesses offering financial incentives, such as discounts, free items, or other rewards, in exchange for personal information, that their office believes might not be fully compliant with the California Consumer Privacy Act (CCPA).

What is a loyalty program?

While structured in a variety of ways, loyalty programs often track how much consumers have spent and/or products purchased (patterns). There may be a membership fee associated with the loyalty program or it may be offered for free. Some programs may offer prizes, third-party products or additional consumer products. While the CCPA does not specifically define a “loyalty program,” it is generally accepted that the basic principles of a loyalty program’s operation is to: 1) collect consumer information, and 2) provide some reward or exchange for consumer purchasing patterns.

Do all loyalty programs qualify as financial incentive programs?

Under the CCPA, a “financial incentive” is defined as “a program, benefit, or another offering, including payments to consumers, related to the collection, retention, or sale of personal information.” The Attorney General’s office has implied that all loyalty programs should receive the same treatment as other financial incentives if any personal information is collected or sold as part of the program. However, there is an argument for many loyalty programs that the benefits provided are related to consumer purchasing patterns, and not related to collecting personal information.

What are businesses obligated to do under the CCPA?

Due to the nature of loyalty programs collecting personal information, if a business offering a loyalty program is subject to the rules of the CCPA, then its loyalty program is automatically subject to the CCPA rules as well.  

The following is not an exhaustive list, but generally describes the notice obligations in relation to the program. The notice must include how the consumer can subscribe (prior opt-in consent) and terminate (withdraw consent) participation; at the point of collecting consumer information, define the categories of personal information collected and how it will be used; a privacy notice must be made available to the loyalty program members; where a loyalty program sells the personal information of its members, include a “do not sell” link to permit consumers to opt-out of the sale of their information; notice of the value of the financial incentive.

More Rules Apply in 2023

Effective January 1, 2023, the California Privacy Rights Act (“CPRA”) amends the CCPA and adds an additional requirement for loyalty programs where a business is prohibited from requesting a consumer to provide opt-in consent for a loyalty program for at least 12 months after the consumer last declined to provide opt-in consent for that program. Unlike the CCPA, “consent” is defined under the CPRA. 

Businesses should review their loyalty programs to ensure compliance with current CCPA rules and prepare for the CPRA. Contact us at Chase Law Group for help with your business legal questions or call 310.545.7700