Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

US State Privacy Update: California AG Targets Financial Incentives For CCPA Enforcement

By Peter Stockburger
February 18, 2022
  • Consumer Protection
  • Enforcement
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • United States
Share on Facebook Share on Twitter Share via email Share on LinkedIn

On January 28, the California Attorney General (AG) announced his office was initiating an investigative sweep of businesses that operate loyalty programs and do not adequately provide a notice of financial incentive, as required under the California Consumer Privacy Act of 2018 (CCPA). This announcement by the AG is significant because it marks the first time the AG has publicly announced a targeted enforcement effort under the CCPA since releasing a general list of enforcement case examples this past July.

Below we highlight the CCPA notice of financial incentive requirement, the AG’s announcement, and provide key takeaways for organizations planning compliance.

CCPA Notice of Financial Incentive

Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or loyalty programs, in exchange for personal information must provide California residents with a notice explaining the nature of that financial incentive. The notice must clearly describe the material terms of the financial incentive program before the individual opts-in to the program, and must provide the individual the opportunity to opt-out.

The notice must be easy to read, accessible, and delivered to the California resident at or before the point of collection.

AG Enforcement

The California AG announced on January 28 that it had sent a number of letters to “major corporations in the retail, home improvement, travel, and food services industries” relating to non-compliance with the notice of financial incentive requirement as it relates to their loyalty programs.

This announcement marks the first time the California AG has publicly announced a specific enforcement priority under the CCPA since releasing enforcement examples in July 2021. Under the CCPA, the AG has the sole authority to enforce the notice of financial incentive requirement. Effective July 1, 2023, that enforcement authority will be shared with a new privacy enforcement agency known as the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act (CPRA) – an amendment to the CCPA.

Key Takeaway

Organizations that operate loyalty programs are the direct target of the AG’s announcement and must pay particular attention to their notices, and how those notices are delivered to California residents.

But the notice of financial incentive requirement goes beyond loyalty programs. Many organizations offer a discount in exchange for personal information (e.g., 10% off first time purchases in exchange for an email address). These programs could also be interpreted by the California AG as a financial incentive, requiring adequate notice. And as organizations move into 2023, unless otherwise exempted, the notice of financial incentive requirements would apply to employees and B2B data, significantly expanding the scope of the laws reach.

Preparing and delivering a notice of financial incentive requires planning and strategic thinking. How is the data valued? How should the notice be delivered? Should it be a stand-alone document or incorporated into the broader privacy policy? How can the consumer opt-in to the program before entering their data in exchange for the incentive program? And does the program risk creating a claim of discrimination if the individual opts-out or deletes their data?

Answering these questions requires strategic thinking that not only takes into account compliance needs but also business needs around the collection and use of data. Organizations should audit their current incentive programs to determine whether a notice is appropriate, and if so the strategic considerations in collecting information in a way that maximizes flexibility for future use cases (e.g., collecting first-party data for ad measurement purposes, etc.). Organizations should also consider building into their existing marketing strategies a process by which all financial incentives are reviewed for compliance with the CCPA / CPRA before launched to ensure no discount program slips through the cracks.

Ultimately, the notice of financial incentive requirement may be further adjusted when the CPPA releases its draft CPRA regulations this year. For now, organizations should do what they can to shore up this important but often overlooked compliance element under the CCPA and pay close attention to all financial incentives regardless of form or format.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
CCPA, CPPA, CPRA, Financial Incentive
Peter Stockburger

About Peter Stockburger

Peter Stockburger is the office managing partner for the Firm's San Diego office, a member of the Firm's Global Data Privacy and Venture Technology Groups, and co-lead of the Firm's Autonomous Vehicles practice. With a focus on data privacy and security, Peter partners with clients around the globe to leverage data and talent to grow, operate, and protect their business.

All posts Full bio

RELATED POSTS

  • Data Transfers
  • Europe
  • New and Proposed Laws
  • United States

Schrems: Decision Due Next Week

By Simon Elliott
  • Enforcement
  • Government Information
  • United States

President Trump’s Budget Requests $1.5B For Homeland Security Cyber Unit

By Peter Stockburger
  • Data Transfers
  • Europe
  • New and Proposed Laws

Data Protection Regulation: back on track?

  The Council of the EU has been busy discussing the draft Regulation this week.  There is a press release and […]

By Nick Graham

About Dentons

Across over 80 countries, Dentons helps you grow, protect, operate and finance your organization by providing uniquely global and deeply local legal solutions. Polycentric, purpose-driven and committed to inclusion, diversity, equity and sustainability, we focus on what matters most to you. www.dentons.com

Grow, Protect, Operate, Finance. Dentons, the law firm of the future is here. Copyright 2023 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. Please see dentons.com for Legal notices.

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo in black and white

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site