California Attorney General Rob Bonta has recently announced his office is conducting “an investigative sweep” of businesses that offer customer loyalty programs to ensure they are fully complying with the California Consumer Privacy Act (CCPA). The enforcement drive, the announcement of which coincided with Data Privacy Day, saw notifications issued to businesses that are alleged to have violated the CCPA with their customer loyalty programs.
The CCPA does not prohibit businesses from operating customer loyalty programs that offer discounts on purchases, free items, or other rewards in exchange for customers providing their personal information, but if they do operate such as scheme, they are required to provide clear notice to California residents about the nature of the scheme and obtain opt-in consent from consumers prior to any participation in such a program.
Notices must advise California residents about the financial incentive scheme and the material terms of the financial incentive program in clear and easy to understand language, including the financial incentive or difference in prices/quality of goods and services, the categories of personal data that are involved, how the financial incentive is related to the value of consumer data, a good faith estimate of the value of a consumer’s data, a description of the method used to calculate the value of a consumer’s data, and the notice must explain that a consumer has the right to withdraw consent at any time and how consent can be withdrawn.
Attorney General Bonta confirmed that notices have been sent to businesses in a range of sectors, including retail, travel, food services, and home improvement. Any business receiving a notification letter about alleged non-compliance with the CCPA is allowed up to 30 days to correct the alleged violations. If all necessary corrective actions are not taken within those 30 days, the Office of the Attorney General will start enforcement proceedings, which will likely result in a financial penalty being imposed.
Attorney General Bonta has made it clear that customer loyalty programs are classed as financial incentive programs under CCPA, and that the CCPA covers online and offline data collection associated with loyalty programs. “In the digital age, it’s easy to forget that our data isn’t only collected when we go online. It’s collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store,” said Attorney General Bonta. “We may not always realize it, but these brick-and-mortar stores are collecting our data – and they’re finding new ways to profit from it.”
Any business subject to the CCPA that operates a customer loyalty program should conduct a review of their program to ensure it is compliant with the CCPA, irrespective of whether they have received a notice of non-compliance from the Office of the California Attorney General.