The CCPA: Loyalty Programs Put on Notice
The 2022 Data Privacy Day (January 28) wasn’t fun and games for everyone. The California Attorney General sent notices of violations to numerous businesses based on their loyalty programs. Loyalty programs have long been an area of concern and controversy in the California Consumer Privacy Act. The issue arises due to Section 1798.125 because it prohibits businesses from discriminating against consumers based on the consumer’s exercise of privacy rights under the CCPA.
Loyalty programs rely on maintaining repeating consumers and learning more information about individual consumers. If a consumer could reap the rewards of loyalty membership, but eliminate the benefit to the business by either preventing the business from collecting their data or telling the business to delete their data, the consumer would be getting something, while giving the business nothing. Businesses, in operation of their loyalty programs, need to be able to discriminate between consumers who share their information with the business through the loyalty rewards program and those who don’t.
So, can businesses continue to use loyalty rewards programs? The text of the CCPA is the best starting point. The text says:
1798(b)1
A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably related to the value provided to the business by the consumer’s data.
However, if a financial incentive is offered, the CCPA requires the business to:
- Notify the consumer of the financial incentive.
- Obtain the consumer’s affirmative consent to the material terms of the financial incentive program. AND
- Permit the consumer to revoke consent at any time.
In summary, a business can offer financial incentives which are typical of loyalty rewards programs in exchange for collecting the consumer’s personal information as long as the business informs the consumer about the financial incentive, obtains the consumer’s affirmative consent to the material terms of the program, and allows the consumer to revoke their consent at any time.
The businesses that received notices of noncompliance have been granted 30 days to cure the noncompliance. Surely, in the future they will provide notice about the financial incentive, gather affirmative consent, and allow revocation at any point.
The Attorney General’s Office’s handling of loyalty programs under the CCPA is a win-win for consumers and businesses. Consumers get more clarity about what exactly they are signing up for and get to opt-in and opt-out at their discretion. Businesses get to maintain their loyalty rewards programs encouraging brand loyalty. The Attorney General’s Office is being gentle so far on businesses, but the leniency will eventually run out.
A key part of the successful operation of a loyalty rewards program is managing consent. Clarip’s consent management platform makes managing consumer consents easy, it is just as easy for consumers to give consent as it is to withdraw consent and that consent can be withdrawn at any time. Clarip also provides solutions for other aspects of CCPA compliance. We provide data subject access request fulfillment, data mapping, and much more. Visit us at www.clarip.com or call us at 1-888-252-5653 to learn more.
Other Articles on this Topic:
Privacy Notices and Policies: Effectively Communicating with Your Customers and Employees
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com