Privacy

Is Your Loyalty Program Compliant With CCPA?

Ross MisheevVanessa Stout
March 1, 2022
4 min read

For organizations that sell directly to consumers, loyalty programs can be an effective method for increasing revenue and encouraging brand loyalty. It has been proven that it’s easier to sell to existing customers than to acquire new customers. However, loyalty programs have recently come under increased scrutiny by California Attorney General Rob Bonta, in his enforcement of the California Consumer Privacy Act (CCPA).

On January 28, 2022, the California Attorney General notified several “major corporations” operating loyalty programs that they are in violation of the CCPA’s Notice of Financial Incentive requirement. That statement, which was published on Data Privacy Day, put all businesses that operate loyalty programs on notice.

Now is the time for organizations to review their loyalty programs to determine if there is the potential for additional scrutiny under the CCPA’s Notice of Financial Incentive (NOFI) requirement. Programs that meet the NOFI criteria (examples below) must have the appropriate notice in place disclosing how personal data is collected for financial gain:

  • Offering discounts or other rewards in exchange for personal information
  • Offering gift cards to individuals for completing a survey or questionnaire

What qualifies as a financial incentive?

The CCPA’s financial incentive requirement maintains that a business must provide notice to the consumer if it offers “financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.” (See California AG Privacy Day announcement)

But what exactly do they mean by financial incentive? Financial incentives can come in many forms:

  • Online – Discounts, rewards or loyalty programs
    • Example: Providing an email address to earn a coupon code at an online retailer.
  • Offline – Loyalty program, gift cards, coupons
    • Example: Entering a phone number into a keypad to earn points during checkout at the local grocery store.

If a business offers financial incentives to consumers in exchange for personal information, the CCPA requires the business to provide notice prior to collection. What a business should include in their financial incentive notices can be found in CCPA §1798.125(b).

It’s important to note that the upcoming CPRA amendment will not make any substantive changes to this requirement.

What to do next?

  • First, don’t panic.
  • Review the business’s position and consider what financial incentives are offered to consumers. Financial incentives can be offered in a variety of ways, from simple discounts to free items, loyalty programs, or other rewards. Do not forget – not everyone shops online! Brick-and-mortar stores need to be part of the review.
  • Once the types of financial incentives offered have been identified, review existing notices and consider these questions:
    • Does your organization provide notice? At what point in the process is notice provided? CCPA expects notice to be provided prior to enrolling a customer into a financial incentive program.
    • Is notice clearly provided, easy to read and understand, and consent captured?
    • Brick and mortar retailers offering financial incentives should also consider how they are providing notice.
    • Finally, take a closer look at the notice and ask the following (CCPA § 999.307):
      • Is the notice clear and does it explain the terms of the financial incentive?
      • Is opt-in consent obtained from the consumer?
      • Does the notice describe the categories of personal information being collected by the program?
      • Does the notice describe how a consumer can opt-out of the financial incentive programs?

Has the business provided a good-faith explanation of how it quantifies the value of the consumer data collected through the financial incentive program? In this section, the business will need to put forth a monetary amount showing the value per personal information collected from a consumer.

Explain how those numbers were determined. That analysis can include, but need not be limited to some of the below:

  • Expenses related to the collection, retention, and offering of loyalty programs
  • Expenses related to the collection and retention of consumer PI
  • Expenses related to the total program operating expenses, calculated by measuring the people costs and IT costs.

Organizations that offer loyalty programs or other types of financial incentive programs for the collection of personal information must provide explicit notice to consumers that clearly describes the program, and which allows consumers to make informed decisions about providing their personal data in exchange for benefits of the program. Organizations should perform a review of their loyalty programs to determine appropriate compliance requirements under CCPA. If a letter from the California Attorney General is received, review the claims, remediate any issues, and respond within the 30-day notice-to-cure period.

To learn more about our cybersecurity and privacy consulting services, contact us.

Ross Misheev

Associate Director
Security and Privacy

View all posts

Vanessa Stout

Associate Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More