Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

US State Privacy Update: California AG Targets Financial Incentives For CCPA Enforcement

By Peter Stockburger
February 18, 2022
  • Consumer Protection
  • Enforcement
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • United States
Share on Facebook Share on Twitter Share via email Share on LinkedIn

On January 28, the California Attorney General (AG) announced his office was initiating an investigative sweep of businesses that operate loyalty programs and do not adequately provide a notice of financial incentive, as required under the California Consumer Privacy Act of 2018 (CCPA). This announcement by the AG is significant because it marks the first time the AG has publicly announced a targeted enforcement effort under the CCPA since releasing a general list of enforcement case examples this past July.

Below we highlight the CCPA notice of financial incentive requirement, the AG’s announcement, and provide key takeaways for organizations planning compliance.

CCPA Notice of Financial Incentive

Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or loyalty programs, in exchange for personal information must provide California residents with a notice explaining the nature of that financial incentive. The notice must clearly describe the material terms of the financial incentive program before the individual opts-in to the program, and must provide the individual the opportunity to opt-out.

The notice must be easy to read, accessible, and delivered to the California resident at or before the point of collection.

AG Enforcement

The California AG announced on January 28 that it had sent a number of letters to “major corporations in the retail, home improvement, travel, and food services industries” relating to non-compliance with the notice of financial incentive requirement as it relates to their loyalty programs.

This announcement marks the first time the California AG has publicly announced a specific enforcement priority under the CCPA since releasing enforcement examples in July 2021. Under the CCPA, the AG has the sole authority to enforce the notice of financial incentive requirement. Effective July 1, 2023, that enforcement authority will be shared with a new privacy enforcement agency known as the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act (CPRA) – an amendment to the CCPA.

Key Takeaway

Organizations that operate loyalty programs are the direct target of the AG’s announcement and must pay particular attention to their notices, and how those notices are delivered to California residents.

But the notice of financial incentive requirement goes beyond loyalty programs. Many organizations offer a discount in exchange for personal information (e.g., 10% off first time purchases in exchange for an email address). These programs could also be interpreted by the California AG as a financial incentive, requiring adequate notice. And as organizations move into 2023, unless otherwise exempted, the notice of financial incentive requirements would apply to employees and B2B data, significantly expanding the scope of the laws reach.

Preparing and delivering a notice of financial incentive requires planning and strategic thinking. How is the data valued? How should the notice be delivered? Should it be a stand-alone document or incorporated into the broader privacy policy? How can the consumer opt-in to the program before entering their data in exchange for the incentive program? And does the program risk creating a claim of discrimination if the individual opts-out or deletes their data?

Answering these questions requires strategic thinking that not only takes into account compliance needs but also business needs around the collection and use of data. Organizations should audit their current incentive programs to determine whether a notice is appropriate, and if so the strategic considerations in collecting information in a way that maximizes flexibility for future use cases (e.g., collecting first-party data for ad measurement purposes, etc.). Organizations should also consider building into their existing marketing strategies a process by which all financial incentives are reviewed for compliance with the CCPA / CPRA before launched to ensure no discount program slips through the cracks.

Ultimately, the notice of financial incentive requirement may be further adjusted when the CPPA releases its draft CPRA regulations this year. For now, organizations should do what they can to shore up this important but often overlooked compliance element under the CCPA and pay close attention to all financial incentives regardless of form or format.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
CCPA, CPPA, CPRA, Financial Incentive
Peter Stockburger

About Peter Stockburger

Peter Stockburger is the office managing partner for the Firm's San Diego office, a member of the Firm's Global Data Privacy and Venture Technology Groups, and co-lead of the Firm's Autonomous Vehicles practice. With a focus on data privacy and security, Peter partners with clients around the globe to leverage data and talent to grow, operate, and protect their business.

All posts Full bio

RELATED POSTS

  • Europe
  • New and Proposed Laws
  • Privacy Rights

Europe under Review: Part 8 of 8 – Individual Rights

This week we look at the last topic in our series of “back to data privacy basics”: individual rights. Rights […]

By Scott Singer
  • Data Transfers
  • Europe
  • United Kingdom
  • United States

International data transfers in the post-Schrems II reality

By Todd Daubert, Simon Elliott, Marc Elshof, Nick Graham, Tatiana Kruse, Giangiacomo Olivi, and Christian Schefold
  • Canada
  • Marketing, Cookies & Spam
  • United States

How Canada’s Anti-Spam Enforcers will Cooperate, Coordinate, Share Information

Canada’s Anti-Spam Legislation (CASL) brings with it new legal violations and penalties, some of which become effective as of July 1, 2014.   […]

By Margot Patterson

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site