United States: California Attorney General sets sights on consumer loyalty programs for CCPA enforcement5 min read
On “Privacy Day” – California Attorney General Rob Bonta announced an investigative sweep targeted at the data collection practices of businesses running consumer loyalty programs in California and issued notices of non-compliance to a number of “major corporations” in the retail, home improvement, travel, and food services industries. Such loyalty programs offered financial incentives to consumers (e.g., discounts, free items, and other rewards) in exchange for their personal information.
Under the California Consumer Privacy Act of 2018, as amended by the Consumer Privacy Rights Act of 2020 (CCPA), businesses must not discriminate against consumers who exercise their rights to information deletion or object to the selling or sharing of their personal information. At the same time, businesses shall not be prohibited under the CCPA from “charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data” or “from offering loyalty, rewards, premium features, discounts, or club card programs”.
The California Attorney General promulgated in 2020 regulations that a business that offers a financial incentive or price or service difference shall provide a “notice of financial incentive” with prescribed disclosures, in addition to “at collection notices”, which businesses must generally provide at or before the time they collect personal information from consumers. In the “notice of financial incentive”, businesses must disclose material terms of incentive programs, including the value of the consumer’s information.
In the recent enforcement actions concerning failures to provide notices of financial incentive, the California Attorney General offered the businesses 30 days to come into compliance with the CCPA before further enforcement actions would be commenced (as is currently required under the CCPA). In a press release issued by the office of the Attorney General, Bonta “urge[d] all business[es] in California to take note and be transparent about how you are using your customer’s data”, signaling an intent to prioritize enforcement of loyalty and other similar consumer programs moving forward.
The notice of financial incentive must clearly describe the material terms of the financial incentive program, be readily available before a consumer opts in, and inform consumers that they may opt-out at any time. Specifically, a business must include the following in the notice:
- A succinct summary of the financial incentive or price or service difference offered.
- A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data.
- How the consumer can opt-in to the financial incentive or price or service difference.
- A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right.
- An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including:
- A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference.
- A description of the method the business used to calculate the value of the consumer’s data.
Businesses now face the difficult task to estimate the value of consumers’ personal information. They should carefully consider all implications from an accounting, tax and litigation perspective. For example, once a business publishes a value pertaining to personal information, the stated value will likely be considered in unrelated contexts and disputes such as data security breaches, trade secret misappropriation, breaches of marketing collaboration contracts with business partners, unclaimed property compliance (escheat), or transfer pricing arrangements in multinational groups. Courts will not be bound by the business’s valuation, of course, but adversaries may hold a published valuation number against a business as an admission of value and make it difficult to argue for a different valuation.
Our team is monitoring developments as the cure period for compliance provided in the notice nears expiration. Should you have questions in the meantime, please reach out to our team or your Baker McKenzie contacts for additional information.