From the straightforward "buy 9 smoothies, get 1 free," to sophisticated frequent flyer programs, loyalty programs are a staple in today's consumer-driven market. These programs offer rewards, discounts, or other special incentives simply for repeat business. But, does this simple marketing ploy come with great risk?
At the end of January 2022, the California Office of Attorney General released a press release announcing that the California DOJ sent letters to major corporations in the retail, home improvement, travel, and food service industries alleging non-compliance with the California Consumer Privacy Act (CCPA). The notified companies have thirty days to cure and come into compliance with the CCPA. Specifically, the press release stated:
"Under the CCPA, businesses that offer financial incentives, such as discounts, free items, and other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. This notice must clearly describe the material terms of the financial incentive program to the consumer before they opt in to the program..."
Like many terms in the CCPA, a "financial incentive" is defined broadly to mean "a program, benefit, or other offering, including payment to consumers, related to the collection, deletion, or sale of personal information."
The AG's press release offers some clarity—and perhaps finality—to an often contested provision of the CCPA. Many companies have long argued that loyalty programs were not actually offering financial incentives for the collection of personal information and that any collection of personal information was incidental. Yet now, the AG's statement makes clear that companies offering loyalty programs must comply with certain provisions of the CCPA.
Companies offering loyalty programs must: (1) notify the customer of the financial incentive (the "Notice of Financial Incentive"), (2) obtain the consumer's opt-in consent to the material terms of the financial incentive program, and (3) permit the consumer to revoke consent at any time. The Notice of Financial Incentive must explain, among other things, how the financial incentive or price or service difference is reasonably related to the value of the consumer's data. In order to do so, companies must conduct an analysis of the value of the consumer's data that forms the basis for the financial incentive.
The risk here is that companies who do not perform such an analysis may be deemed to be offering discriminatory financial initiatives, which is prohibited under the CCPA. The CCPA is very clear that businesses cannot discriminate against consumers who exercise any of the rights given by the CCPA, such as the right to opt out of the sale to their data. Meeting the requirements of a financial incentive provides an exception to the nondiscrimination provision.
So is it time to stop rewarding loyalty? The short answer is no. We can keep our loyalty programs so long as we are paying close attention to the requirements of the CCPA. Nixon Peabody's Cybersecurity & Privacy Team can help navigate the provisions of the CCPA governing financial incentives.