Friday, January 28, was Data Privacy Day, and California Attorney General Rob Bonta commemorated the holiday with an announcement about how his office has been enforcing the loyalty program provisions of the California Consumer Privacy Act (CCPA). If your organization offers financial incentives related to the collection of personal information, you may want to double-check that your privacy program is fully compliant with the CCPA.

The Attorney General’s announcement stated that he had sent notices alleging noncompliance with the California Consumer Privacy Act to businesses operating loyalty programs. The recipients of the notices included “major corporations in the retail, home improvement, travel, and food services industries.” AG Bonta further stressed that, while most people think of the CCPA only in relation to internet privacy, it applies to the collection of personal information at brick-and-mortar stores too—which is where many consumers use loyalty programs.

If your organization offers anything of value to the consumers whose personal information it collects, you should determine whether you are operating a “financial incentive program” under the CCPA. Examples could include:

  • Discounts provided to users who sign up for marketing emails
  • Offering lower prices for items to users who have created an account
  • Sending free items to users who provide personal information
  • Only allowing paying customers to opt out of the sale of their personal information.

Financial incentive programs are permissible only if: (1) the business provides notice to the consumer about the financial incentive, (2) the consumer affirmatively opts in to the program, and (3) the value of the incentive is “reasonably related” to the value of the consumer’s data. The privacy act’s regulations provide more information about the required notice, what constitutes a financial incentive, and how to calculate the reasonable value of consumers’ data.

This announcement from the California AG is a good reminder that having an online privacy policy is often not sufficient for full compliance. Your privacy policy should include details about how your organization uses personal information, including whether a practice qualifies as a financial incentive, and should also cover any in-person data collection at your brick-and-mortar locations.

SixFifty’s Privacy toolset can help you determine how to best handle your organization’s data. We are continuously monitoring this dynamic area of the law and updating our tools with changes in real time. Working with SixFifty is like having top-tier employment lawyers by your side as you work through the best way to comply with your privacy law obligations.

If you are ready to get started or have any questions, schedule a demo with SixFifty today!


Austin Smith

Written by Austin Smith

Austin Smith is Vice President of Legal Product at SixFifty, focusing on data privacy products. He translates the myriad consumer privacy laws around the world into plain English to help companies build robust, flexible privacy programs. Whether it’s the CCPA/CPRA in California, upcoming privacy laws in other US states, the GDPR in Europe, or the PIPL in China, Austin crafts...

Full Bio and other articles by