In its most recent efforts to enforce the California Consumer Privacy Act (CCPA), the Office of California Attorney General Rob Bonta has announced an investigative sweep of businesses offering financial incentives to California residents (“Consumers”) in exchange for the collection, use, or sale of their personal information.
The AG’s Office, in a press release issued on January 28, 2022 (Data Privacy Day), stated that it had sent violation notices to major businesses in the retail, home improvement, travel and food services industries, which will have 30 days from receipt of a notice to cure any alleged CCPA violations, such as the failure to provide Consumers with adequate disclosures regarding financial incentives.
Under the CCPA, financial incentives may include commonly offered incentive programs, such as loyalty, rewards, benefit or membership programs related to the collection or sale of personal information.
Price or service differences include (1) any differences in the prices or rates charged for any good or services to any Consumer related to the collection, retention, or sale of personal information, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any differences in the level or quality of goods or services offered to the Consumer related to the collection, retention, or sale of personal information, including the denial of goods or services to the consumer (together with financial incentives, “Loyalty Programs”).
As a general matter, Loyalty Programs are considered discriminatory if a business treats a Consumer differently because the Consumer exercised a right conferred by the CCPA. However, the CCPA allows businesses to offer Loyalty Programs to Consumers for the collection, sale, or deletion of personal information if the financial incentive or price or service difference is reasonably related to the value of the Consumer’s personal information.
Businesses that offer Loyalty Programs must make specific disclosures regarding these programs available to Consumers. Specifically, businesses must provide Consumers with a notice that includes:
- a summary of the financial incentive or price or service difference offered
- a description of the material terms
- how Consumers may opt in
- a statement of a Consumer’s right to opt out at any time and an explanation of how to exercise that right and
- an explanation of how the incentive is related to the value of the consumer’s data.
The notice to Consumers must:
- use plain, straightforward language and avoid technical or legal jargon
- use a format that draws the Consumer’s attention to the notice and makes the notice readable, including on smaller screens
- be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to Consumers;
- be reasonably accessible to Consumers with disabilities
- if provided online, follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium and
- be readily available where Consumers will encounter it before opting in to the financial incentive or price or service difference.
In addition, businesses that offer Loyalty Programs must use and document a good faith method for calculating the value of the Consumer’s data, considering one or more of several specified valuation methods. If a business is unable to calculate a good-faith estimate of the value of the Consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the Consumer’s data, that business cannot offer the Loyalty Program.
A signal from the California Attorney General
The launch of the investigative sweep of businesses offering Loyalty Programs builds on recent enforcement efforts and signals the AG’s latest CCPA enforcement priority. Given the CCPA’s broad definitions, many loyalty, rewards, and subscription-based programs may qualify as “financial incentives” or “price or service differences” that require businesses to provide Consumers with required disclosures and honor Consumer requests to withdraw from such programs. In July 2021, Attorney General Bonta issued a first year CCPA enforcement update, which reported that, after receiving a notice of alleged violation, 75 percent of businesses acted to come into compliance within the 30-day statutory cure period.
Published case examples illustrate that enforcement efforts had primarily been focusing on three key areas, including whether covered businesses (1) posted CCPA-compliant privacy policies and notices; (2) offered CCPA-compliant methods for consumers to exercise their rights, including the right to opt out of “sales” of personal information; and (3) had written contracts in place with service providers that contained necessary contractual commitments concerning permitted uses and disclosures of Consumer personal information.
Under the upcoming California Privacy Rights Act (CPRA), which will replace the CCPA on January 1, 2023, businesses may, provided that the Consumer has opted in, offer (1) financial incentives for the collection, sale, sharing or retention of personal information; and (2) a different price, rate, level or quality of goods or services if that price or difference is reasonably related to the value that the Consumer’s data provides to the business.
With respect to opt-in and disclosure requirements, similar, but slightly different rules will apply under the CPRA. Notably, if a Consumer has opted out of a financial incentive or price or service difference, a business may not ask the Consumer to opt back in to the program for a period of 12 months following the opt-out.
Given the AG’s current focus on Loyalty Programs, businesses should closely examine any loyalty and rewards programs that they make available to Consumers to determine whether they may be considered “financial incentives” or “price or service differences” under the CCPA. To the extent applicable, businesses should assess whether they need to revisit disclosures included in current privacy policies and Consumer notices, as well as policies and procedures for responding to Consumer rights requests and honoring Consumer choices.
Importantly, businesses offering Loyalty Programs should also determine how the financial incentive or price or service difference they offer to Consumers is reasonably related to the value of the Consumer’s data, considering one or more of the approved valuation methods.
Looking ahead to 2023, businesses should be prepared to assess the extent to which they will be subject to the CPRA and its updated requirements regarding Loyalty Programs.
To learn more about the implications of this development, contact our data privacy team via PrivacyGroup@dlapiper.com.