Is Your Loyalty Program Compliant With CCPA?

For organizations that sell directly to consumers, loyalty programs can be an effective method for increasing revenue and encouraging brand loyalty. It has been proven that it’s easier to sell to existing customers than to acquire new customers. However, loyalty programs have recently come under increased scrutiny by California Attorney General Rob Bonta, in his enforcement of the California Consumer Privacy Act (CCPA).

On January 28, 2022, the California Attorney General notified several “major corporations” operating loyalty programs that they are in violation of the CCPA’s Notice of Financial Incentive requirement. That statement, which was published on Data Privacy Day, put all businesses that operate loyalty programs on notice.

Now is the time for organizations to review their loyalty programs to determine if there is the potential for additional scrutiny under the CCPA’s Notice of Financial Incentive (NOFI) requirement. Programs that meet the NOFI criteria (examples below) must have the appropriate notice in place disclosing how personal data is collected for financial gain:

  • Offering discounts or other rewards in exchange for personal information
  • Offering gift cards to individuals for completing a survey or questionnaire

What qualifies as a financial incentive?

The CCPA’s financial incentive requirement maintains that a business must provide notice to the consumer if it offers “financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.” (See California AG Privacy Day announcement)

But what exactly do they mean by financial incentive? Financial incentives can come in many forms:

  • Online – Discounts, rewards or loyalty programs
    • Example: Providing an email address to earn a coupon code at an online retailer.
  • Offline – Loyalty program, gift cards, coupons
    • Example: Entering a phone number into a keypad to earn points during checkout at the local grocery store.

If a business offers financial incentives to consumers in exchange for personal information, the CCPA requires the business to provide notice prior to collection. What a business should include in their financial incentive notices can be found in CCPA §1798.125(b).

It’s important to note that the upcoming CPRA amendment will not make any substantive changes to this requirement.

What to do next?

  • First, don’t panic.
  • Review the business’s position and consider what financial incentives are offered to consumers. Financial incentives can be offered in a variety of ways, from simple discounts to free items, loyalty programs, or other rewards. Do not forget – not everyone shops online! Brick-and-mortar stores need to be part of the review.
  • Once the types of financial incentives offered have been identified, review existing notices and consider these questions:
    • Does your organization provide notice? At what point in the process is notice provided? CCPA expects notice to be provided prior to enrolling a customer into a financial incentive program.
    • Is notice clearly provided, easy to read and understand, and consent captured?
    • Brick and mortar retailers offering financial incentives should also consider how they are providing notice.
    • Finally, take a closer look at the notice and ask the following (CCPA § 999.307):
      • Is the notice clear and does it explain the terms of the financial incentive?
      • Is opt-in consent obtained from the consumer?
      • Does the notice describe the categories of personal information being collected by the program?
      • Does the notice describe how a consumer can opt-out of the financial incentive programs?

Has the business provided a good-faith explanation of how it quantifies the value of the consumer data collected through the financial incentive program? In this section, the business will need to put forth a monetary amount showing the value per personal information collected from a consumer.

Explain how those numbers were determined. That analysis can include, but need not be limited to some of the below:

  • Expenses related to the collection, retention, and offering of loyalty programs
  • Expenses related to the collection and retention of consumer PI
  • Expenses related to the total program operating expenses, calculated by measuring the people costs and IT costs.

Organizations that offer loyalty programs or other types of financial incentive programs for the collection of personal information must provide explicit notice to consumers that clearly describes the program, and which allows consumers to make informed decisions about providing their personal data in exchange for benefits of the program. Organizations should perform a review of their loyalty programs to determine appropriate compliance requirements under CCPA. If a letter from the California Attorney General is received, review the claims, remediate any issues, and respond within the 30-day notice-to-cure period.

To learn more about our cybersecurity and privacy consulting services, contact us.

Ross Misheev

Associate Director
Security and Privacy

Vanessa Stout

Associate Director
Security and Privacy

Subscribe to Topics

In the latest episode, Protiviti’s @KonstantHacker and guest @JulienCamirand from Nord Quantique discuss a new approach to qubit error correction. Listen now! #ProtivitiTech #Quantum #Podcast

#Protiviti is a 2024 Compliance #Microsoft Partner of the Year Finalist. Congrats to this year’s award recipients who were selected based on their commitment to customers, the impact of their solutions, and their exemplary use of Microsoft tech. #MSPartner

How can you tell if a #fintech firm is competent with #GenAI? Certification can certainly distinguish a firm from its competitors, says Protiviti’s Christine Livingston, but is also doesn’t tell the full story about how well they leverage the tech overall.

Generative #AI is set to revolutionize the field of enterprise architecture. Get a comprehensive overview of the impact of #GenAI on EA activities, plus challenges, risks and limitations in the latest Technology Insights blog post. #ProtivitiTech

Protiviti’s @KonstantHacker will join a panel to speak on “Quantum Leap: Securing Manufacturing's Next Frontier with Post Quantum Cryptography” on July 18 in Chicago, IL. Register today for this in-person event. #ProtivitiTech #Quantum

Load More