On January 28, the California Attorney General (AG) announced his office was initiating an investigative sweep of businesses that operate loyalty programs and do not adequately provide a notice of financial incentive, as required under the California Consumer Privacy Act of 2018 (CCPA). This announcement by the AG is significant because it marks the first time the AG has publicly announced a targeted enforcement effort under the CCPA since releasing a general list of enforcement case examples this past July.
Below we highlight the CCPA notice of financial incentive requirement, the AG’s announcement, and provide key takeaways for organizations planning compliance.
CCPA Notice of Financial Incentive
Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or loyalty programs, in exchange for personal information must provide California residents with a notice explaining the nature of that financial incentive. The notice must clearly describe the material terms of the financial incentive program before the individual opts-in to the program, and must provide the individual the opportunity to opt-out.
The notice must be easy to read, accessible, and delivered to the California resident at or before the point of collection.
AG Enforcement
The California AG announced on January 28 that it had sent a number of letters to “major corporations in the retail, home improvement, travel, and food services industries” relating to non-compliance with the notice of financial incentive requirement as it relates to their loyalty programs.
This announcement marks the first time the California AG has publicly announced a specific enforcement priority under the CCPA since releasing enforcement examples in July 2021. Under the CCPA, the AG has the sole authority to enforce the notice of financial incentive requirement. Effective July 1, 2023, that enforcement authority will be shared with a new privacy enforcement agency known as the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act (CPRA) – an amendment to the CCPA.
Key Takeaway
Organizations that operate loyalty programs are the direct target of the AG’s announcement and must pay particular attention to their notices, and how those notices are delivered to California residents.
But the notice of financial incentive requirement goes beyond loyalty programs. Many organizations offer a discount in exchange for personal information (e.g., 10% off first time purchases in exchange for an email address). These programs could also be interpreted by the California AG as a financial incentive, requiring adequate notice. And as organizations move into 2023, unless otherwise exempted, the notice of financial incentive requirements would apply to employees and B2B data, significantly expanding the scope of the laws reach.
Preparing and delivering a notice of financial incentive requires planning and strategic thinking. How is the data valued? How should the notice be delivered? Should it be a stand-alone document or incorporated into the broader privacy policy? How can the consumer opt-in to the program before entering their data in exchange for the incentive program? And does the program risk creating a claim of discrimination if the individual opts-out or deletes their data?
Answering these questions requires strategic thinking that not only takes into account compliance needs but also business needs around the collection and use of data. Organizations should audit their current incentive programs to determine whether a notice is appropriate, and if so the strategic considerations in collecting information in a way that maximizes flexibility for future use cases (e.g., collecting first-party data for ad measurement purposes, etc.). Organizations should also consider building into their existing marketing strategies a process by which all financial incentives are reviewed for compliance with the CCPA / CPRA before launched to ensure no discount program slips through the cracks.
Ultimately, the notice of financial incentive requirement may be further adjusted when the CPPA releases its draft CPRA regulations this year. For now, organizations should do what they can to shore up this important but often overlooked compliance element under the CCPA and pay close attention to all financial incentives regardless of form or format.
