CCPA Regulation Update: Managing a New Era of Loyalty Programs

April 22, 2020 Published Article

In part three of our breakdown of the California Attorney General’s proposed regulations, we want to address a key point of issue in the California Consumer Privacy Act (“CCPA”): loyalty programs. Loyalty or "reward" programs are a specifically mentioned subject within the CCPA. Furthermore, when the CCPA was initially passed, it was the cause of some commotion as to whether or not these loyalty programs would still exist, since they typically require that a business collect personal information about customers in order to provide customers a benefit. This could include anything from offering the consumers discounts, faster service, or a financial incentive (i.e. coupons). So, how does the CCPA apply to a loyalty program? Do these programs need to change? How can a business continue to provide tailored content, goods and services to their consumers?

The CCPA and Regulations on Loyalty Programs

To comply with the CCPA, loyalty programs must be non-discriminatory. Essentially, a business cannot implement a loyalty program or incur a price or service difference unless the differences are due to the value of that information. A good example of this is in the proposed regulations, where an online retailer cannot stop providing periodic coupons to consumers after a request for deletion unless it can demonstrate that the value of the coupons is reasonably related to the value of the information.

Thankfully, the proposed regulations have also discussed how data can be valued, which includes the revenue of the business from the retention of consumer information, the profit generated from retention, and any other practical and reasonably reliable method of calculation used in good faith. In addition, this calculation can be extended to the entire U.S. for simplicity, rather than isolating only transactions involving a California resident.

As an aside, for any "premium" programs, where better financial incentives or services may be provided for an additional cost, the new proposed regulations specified that these "premium" programs cannot have separate opt-out rights, when compared to programs that do not include an additional cost - as such actions would be discriminatory unless the company can explain how the additional cost is related to the value of that consumer's information.

Notice of Loyalty Programs

In addition, where a loyalty program exists, an additional notice of financial incentive must be given to the consumer at or before opting into the program, explaining the material terms before the consumer agrees, and must be in plain, straightforward language in a readable format. This would include making it both cell phone accessible and accessible to those with disabilities. Furthermore, the loyalty program notice must be separate from the general notice that would typically be provided within a privacy policy, and would be more akin to a terms of use for the loyalty program as a whole and must include the following five items:

  1. A summary of the program (i.e. what incentives exist for the consumer?)
  2. A description of the material terms, including what information is at play for the program.
  3. How the consumer can opt-in to receive incentives.
  4. A statement of their right to withdraw at any time.
  5. An explanation as to how the program is related to the value of their data (i.e. repeat sales adding profit or revenue).

Finally, it should be noted that under the proposed guidelines, the existence of a loyalty program does create another opportunity for businesses to refuse complying with a consumer's requests, as they cannot simultaneously allow a customer to demand the deletion of information while continuing to provide them services associated with the loyalty program.

How to Comply?

To comply, a business should re-evaluate how their loyalty programs work, and to the extent possible, prepare the requisite notices as soon as possible. Ultimately, this could be done as part of updating a company’s terms of use, privacy policies, and other basic requirements to push the business towards compliance with the CCPA. Such an effort requires communication between marketing and legal teams to ensure that all aspects of the loyalty program are accounted for.

Newmeyer Dillion has created a 90 day CCPA compliance program (which can be expedited to 60 days) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation. Contact us for more information.