United States: California Attorney General sets sights on consumer loyalty programs for CCPA enforcement

In brief

On “Privacy Day” – California Attorney General Rob Bonta announced an investigative sweep targeted at the data collection practices of businesses running consumer loyalty programs in California and issued notices of non-compliance to a number of “major corporations” in the retail, home improvement, travel, and food services industries. Such loyalty programs offered financial incentives to consumers (e.g., discounts, free items, and other rewards) in exchange for their personal information.

---

Under the California Consumer Privacy Act of 2018, as amended by the Consumer Privacy Rights Act of 2020 (CCPA), businesses must not discriminate against consumers who exercise their rights to information deletion or object to the selling or sharing of their personal information. At the same time, businesses shall not be prohibited under the CCPA from “charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data” or “from offering loyalty, rewards, premium features, discounts, or club card programs”.

The California Attorney General promulgated in 2020 regulations that a business that offers a financial incentive or price or service difference shall provide a “notice of financial incentive” with prescribed disclosures, in addition to “at collection notices”, which businesses must generally provide at or before the time they collect personal information from consumers. In the “notice of financial incentive”, businesses must disclose material terms of incentive programs, including the value of the consumer’s information.

In the recent enforcement actions concerning failures to provide notices of financial incentive, the California Attorney General offered the businesses 30 days to come into compliance with the CCPA before further enforcement actions would be commenced (as is currently required under the CCPA). In a press release issued by the office of the Attorney General, Bonta “urge[d] all business[es] in California to take note and be transparent about how you are using your customer’s data”, signaling an intent to prioritize enforcement of loyalty and other similar consumer programs moving forward.

The notice of financial incentive must clearly describe the material terms of the financial incentive program, be readily available before a consumer opts in, and inform consumers that they may opt-out at any time. Specifically, a business must include the following in the notice:

1. A succinct summary of the financial incentive or price or service difference offered.
2. A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data.
3. How the consumer can opt-in to the financial incentive or price or service difference.
4. A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right.
5. An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including:
   • A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference.
   • A description of the method the business used to calculate the value of the consumer’s data.

It is clear that the notice of financial incentive must include how a consumer can “opt-in” (a term not defined in the CCPA), which should not be conflated with a requirement under the CCPA to obtain consent (a defined term in the CCPA). Many financial incentive programs require terms of use and thus a need for an agreement involving some form of consent, anyhow (and in such cases, a separate consent could be added), but there are contexts where companies ask for personal information that may trigger a requirement for a financial incentive notice where terms and conditions may not be required. Per Cal. Civ. Code Section 1798.125, a business may enter a consumer into a financial incentive program only if the consumer gives the business prior “opt-in consent” pursuant to Cal Civ. Code Section 1798.130. But the reference to 1798.130 is confusing because 1798.130 does not provide for how to obtain opt-in consent and, as amended, section 1798.130 has a heading of “notice, disclosure, correction, and deletion requirements”. If the reference is to be given any meaning, it supports that consent is not required before first enrolling a consumer in a financial incentive program because 1798.130(a)(5)(A) requires that businesses include in their CCPA online policy a description of a consumer’s rights pursuant to 1798.125 and methods for submitting requests. There are other possible readings of the CCPA on this point. But the CCPA generally does not require opt-in consent for data collection and has an opt-out structure with regards to selling personal information. It would seem logical that the drafters of the CCPA meant for a similar opt-out regime with respect to financial incentive programs to apply (where opt-in consent and waiting 12 months is only required after someone first opts out). And the title of 1798.125 has been amended to say “consumer’s right of no retaliation following opt-out or exercise of other rights”, which would seem supportive of such interpretation.

Businesses now face the difficult task to estimate the value of consumers’ personal information. They should carefully consider all implications from an accounting, tax and litigation perspective. For example, once a business publishes a value pertaining to personal information, the stated value will likely be considered in unrelated contexts and disputes such as data security breaches, trade secret misappropriation, breaches of marketing collaboration contracts with business partners, unclaimed property compliance (escheat), or transfer pricing arrangements in multinational groups. Courts will not be bound by the business’s valuation, of course, but adversaries may hold a published valuation number against a business as an admission of value and make it difficult to argue for a different valuation.

Our team is monitoring developments as the cure period for compliance provided in the notice nears expiration. Should you have questions in the meantime, please reach out to our team or your Baker McKenzie contacts for additional information.