While many of us were celebrating Data Privacy Day last Friday, California Attorney General Rob Bonta tweeted and released a statement that his office has sent warning letters to businesses in a variety of industries for alleged failure to comply with CCPA. This marks the second year in a row where the AG has used Data Privacy Day to announce an update to CCPA enforcement (last year the AG issued a tweet related to Global Privacy Control (GPC), which faced criticism from ad tech stakeholders). Although the tweet and statement do not name the letter recipients or provide details of the alleged offenses, they offer important insight into the AG’s position on financial incentives and CCPA enforcement priorities.
Who received letters from the AG?
According to the statement, the AG’s Office conducted an “investigative sweep of a number of businesses operating loyalty programs in California[,]” including in the retail, home improvement, travel, and food services industries. The AG sent warning letters to those businesses operating loyalty programs that appeared non-compliant with the financial incentive obligations under CCPA. The letter recipients have 30 days to fix the alleged violations before the AG can bring formal enforcement action.
What is the financial incentive obligation under CCPA?
The financial incentive obligation has been one of the more confusing and controversial aspects of CCPA. In sum, a business that offers a financial incentive must: (1) provide notice to consumers of the material terms of the financial incentive; and (2) obtain opt-in consent from consumers to the financial incentive, which can be revoked at any time. The CCPA and accompanying Regs set out highly specific requirements regarding the notice and opt-in.
What is a financial incentive? Is a loyalty program a financial incentive?
The term “financial incentive” is not well defined under CCPA, and efforts failed during the CCPA amendment process to clarify the term. The CCPA Regs later defined the term to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.” While the Regs mention loyalty programs in the context of potential discriminatory practices, the Regs do not go as far as to expressly state that a loyalty program is always a financial incentive. (We note that the AG indicated in 2020 in its response to comments submitted for the CCPA Regs that it believed loyalty programs should receive the same treatment as other financial incentives.) And the FAQ published by the AG does not provide much guidance on the topic. As a result, privacy experts have argued for years over which practices should be considered a financial incentive, and the debate has essentially resulted in a “you’ll know it when you see it” mentality.
What are some of the business concerns around classifying a loyalty program as a financial incentive?
Under CCPA, a business may only offer a financial incentive if it is reasonably related to the value of the consumer’s data. As part of the notice requirement mentioned above, the CCPA Regs require a business to provide a good-faith estimate of the value of the consumer’s data to the business, as well as a description of the method the business used to calculate the value of the data. Many businesses have resisted classifying their loyalty programs as financial incentives on the basis that how they value their consumer data is a trade secret which they don’t want to publicly disclose.
What is the impact of these letters?
These letters make clear that businesses can no longer avoid addressing the financial incentive obligation with respect to loyalty programs. Per the statement, the AG has taken action against businesses for “failing to provide a notice of financial incentive to customers that opt into their loyalty program as required by the CCPA.” Also, the statement indicates that the AG’s interpretation of financial incentives goes beyond loyalty programs to include “discounts, free items, or other rewards” in exchange for personal information. Businesses need to carefully evaluate their practices in the context of the financial incentive obligation.
What about offline loyalty programs?
The financial incentive obligation covers both online and offline data collection, and the AG is looking at both types of practices as indicated by the following quote in the statement:
“In the digital age, it’s easy to forget that our data isn’t only collected when we go online. It's collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store [.] We may not always realize it, but these brick and mortar stores are collecting our data – and they’re finding new ways to profit from it. On Data Privacy Day, we’re issuing notices to business[es] that operate loyalty programs and use personal information in violation of California's data privacy law. I urge all businesses in California to take note and be transparent about how you're using your customer's data. My office continues to fight to protect consumer privacy, and we will enforce the law.”
Why did it take two years for the AG to issue its first warnings?
This actually is not the first time the AG has issued warnings to businesses for failure to comply with the financial incentive obligation under CCPA. Last year, the AG posted enforcement case examples, one of which related to loyalty programs. In the relevant example, the AG found a grocery chain retailer “did not provide a Notice of Financial Incentive to consumers participating in these loyalty programs.” According to the post, the retailer amended its privacy policy to include the notice. In addition to this public enforcement case example, the AG has issued warnings to other businesses, which have not been made publicly available.
Can we rely on the 30 day window to cure?
The main reason we haven’t seen public enforcement actions resulting in penalties is that CCPA gives businesses a 30 day window to cure their noncompliance. However, CPRA, which replaces CCPA on January 1, 2023, removes this 30 day window to cure. Further, the AG has indicated that some offenses are non-curable. Businesses should not rely on this 30 day window to cure, and we expect to see public enforcement actions resulting in penalties in the near future.
What’s next?
The CPRA retains most of the obligations around financial incentives with some slight tweaks to the language. Later this year, California’s new privacy regulatory agency, the CPPA, will issue regulations to interpret CPRA, and we expect those regulations to further address financial incentives (those regulations are due by July 1, 2022). We will keep track of updates around financial incentives and report back as we learn more.