Is Your Loyalty Program Compliant With CCPA?

For organizations that sell directly to consumers, loyalty programs can be an effective method for increasing revenue and encouraging brand loyalty. It has been proven that it’s easier to sell to existing customers than to acquire new customers. However, loyalty programs have recently come under increased scrutiny by California Attorney General Rob Bonta, in his enforcement of the California Consumer Privacy Act (CCPA).

On January 28, 2022, the California Attorney General notified several “major corporations” operating loyalty programs that they are in violation of the CCPA’s Notice of Financial Incentive requirement. That statement, which was published on Data Privacy Day, put all businesses that operate loyalty programs on notice.

Now is the time for organizations to review their loyalty programs to determine if there is the potential for additional scrutiny under the CCPA’s Notice of Financial Incentive (NOFI) requirement. Programs that meet the NOFI criteria (examples below) must have the appropriate notice in place disclosing how personal data is collected for financial gain:

  • Offering discounts or other rewards in exchange for personal information
  • Offering gift cards to individuals for completing a survey or questionnaire

What qualifies as a financial incentive?

The CCPA’s financial incentive requirement maintains that a business must provide notice to the consumer if it offers “financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.” (See California AG Privacy Day announcement)

But what exactly do they mean by financial incentive? Financial incentives can come in many forms:

  • Online – Discounts, rewards or loyalty programs
    • Example: Providing an email address to earn a coupon code at an online retailer.
  • Offline – Loyalty program, gift cards, coupons
    • Example: Entering a phone number into a keypad to earn points during checkout at the local grocery store.

If a business offers financial incentives to consumers in exchange for personal information, the CCPA requires the business to provide notice prior to collection. What a business should include in their financial incentive notices can be found in CCPA §1798.125(b).

It’s important to note that the upcoming CPRA amendment will not make any substantive changes to this requirement.

What to do next?

  • First, don’t panic.
  • Review the business’s position and consider what financial incentives are offered to consumers. Financial incentives can be offered in a variety of ways, from simple discounts to free items, loyalty programs, or other rewards. Do not forget – not everyone shops online! Brick-and-mortar stores need to be part of the review.
  • Once the types of financial incentives offered have been identified, review existing notices and consider these questions:
    • Does your organization provide notice? At what point in the process is notice provided? CCPA expects notice to be provided prior to enrolling a customer into a financial incentive program.
    • Is notice clearly provided, easy to read and understand, and consent captured?
    • Brick and mortar retailers offering financial incentives should also consider how they are providing notice.
    • Finally, take a closer look at the notice and ask the following (CCPA § 999.307):
      • Is the notice clear and does it explain the terms of the financial incentive?
      • Is opt-in consent obtained from the consumer?
      • Does the notice describe the categories of personal information being collected by the program?
      • Does the notice describe how a consumer can opt-out of the financial incentive programs?

Has the business provided a good-faith explanation of how it quantifies the value of the consumer data collected through the financial incentive program? In this section, the business will need to put forth a monetary amount showing the value per personal information collected from a consumer.

Explain how those numbers were determined. That analysis can include, but need not be limited to some of the below:

  • Expenses related to the collection, retention, and offering of loyalty programs
  • Expenses related to the collection and retention of consumer PI
  • Expenses related to the total program operating expenses, calculated by measuring the people costs and IT costs.

Organizations that offer loyalty programs or other types of financial incentive programs for the collection of personal information must provide explicit notice to consumers that clearly describes the program, and which allows consumers to make informed decisions about providing their personal data in exchange for benefits of the program. Organizations should perform a review of their loyalty programs to determine appropriate compliance requirements under CCPA. If a letter from the California Attorney General is received, review the claims, remediate any issues, and respond within the 30-day notice-to-cure period.

To learn more about our cybersecurity and privacy consulting services, contact us.

Ross Misheev

Associate Director
Security and Privacy

Vanessa Stout

Associate Director
Security and Privacy

Subscribe to Topics

Join Protiviti's Paul Kooney and Stephen Nation as they discuss how to set up trust in an organization in tomorrow's Tech Talks at the TrustWeek 2022 Conference. http://ow.ly/HaT750JfK4Y

#ProtivitiTech #TrustWeek #privacy #security #dataprivacy

Evolving #dataprivacy laws and updates in the #OneTrust system call for a closer look at #privacy systems and processes. Join #ProtivitiTech Ismail Ali and Sam Reiter at #TrustWeek to learn how to take your OneTrust deployment to the next level. http://ow.ly/JlSU50JfHkL

Protiviti is pleased to be a Platinum Sponsor at the #TrustWeek 2022 conference. Join #ProtivitiTech and discover best practices to protect #privacy, #data #security, act sustainably and build trust with clients and within your company. http://ow.ly/1NZN50JfyYN

Embedded analytics have rapidly become one of the new “art of the possible” scenarios. Learn how platform's such as @SAP's BI Launchpad continue to develop data analytics, and enables continued organizational growth: http://ow.ly/TuRj50Jcxy0

#ProtivitiTech #SAP #DataAnalytics

We spend a lot of time thinking about how CISOs can prioritize their earliest actions and advising clients who happen to be new in their CISO roles. By taking the right steps, new CISOs can convey confidence. Read more: http://ow.ly/39sA50Jcw6J

#ProtivitiTech #TechnologyInsights

Load More...