Listen to this post

On January 28, 2022, California Attorney General Rob Bonta published a statement regarding recent investigations conducted by the California Office of Attorney General (“AG”) with respect to businesses operating loyalty programs and their compliance with the California Consumer Privacy Act’s (“CCPA’s”) financial incentive requirements. As a result of the investigations, the AG’s Office sent non-compliance notices to major corporations across multiple sectors, including retail, food services, travel and home improvement. The businesses have 30 days to cure the alleged CCPA violations and bring their loyalty programs into compliance with the CCPA. Otherwise, enforcement action can be initiated.

Under the CCPA, a business may offer financial incentives to consumers for the collection of personal information, including through loyalty programs. Such businesses must, in compliance with the CCPA and CCPA Regulations, provide notice of the financial incentive, clearly describe the material terms of the financial incentive program, and obtain prior opt-in consent for participation in the program.

In its press release, the AG made clear that it considers loyalty programs to constitute financial incentive programs under the CCPA, stating that the non-compliance notices are part of the AG’s focus on businesses that are “failing to provide a notice of financial incentive to customers that opt into their loyalty program as required by the CCPA.” (Emphasis added.) The AG also emphasized the requirement to provide notice of financial incentive with respect to both online and offline data collection in connection with loyalty programs, stating, “[i]n the digital age, it’s easy to forget that our data isn’t only collected when we go online. It’s collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store […] I urge all businesses in California to take note and be transparent about how you’re using your customer’s data.”