Friday, January 28, was Data Privacy Day, and California Attorney General Rob Bonta commemorated the holiday with an announcement about how his office has been enforcing the loyalty program provisions of the California Consumer Privacy Act (CCPA). If your organization offers financial incentives related to the collection of personal information, you may want to double-check that your privacy program is fully compliant with the CCPA.
The Attorney General’s announcement stated that he had sent notices alleging noncompliance with the California Consumer Privacy Act to businesses operating loyalty programs. The recipients of the notices included “major corporations in the retail, home improvement, travel, and food services industries.” AG Bonta further stressed that, while most people think of the CCPA only in relation to internet privacy, it applies to the collection of personal information at brick-and-mortar stores too—which is where many consumers use loyalty programs.
If your organization offers anything of value to the consumers whose personal information it collects, you should determine whether you are operating a “financial incentive program” under the CCPA. Examples could include:
- Discounts provided to users who sign up for marketing emails
- Offering lower prices for items to users who have created an account
- Sending free items to users who provide personal information
- Only allowing paying customers to opt out of the sale of their personal information.
Financial incentive programs are permissible only if: (1) the business provides notice to the consumer about the financial incentive, (2) the consumer affirmatively opts in to the program, and (3) the value of the incentive is “reasonably related” to the value of the consumer’s data. The privacy act’s regulations provide more information about the required notice, what constitutes a financial incentive, and how to calculate the reasonable value of consumers’ data.
This announcement from the California AG is a good reminder that having an online privacy policy is often not sufficient for full compliance. Your privacy policy should include details about how your organization uses personal information, including whether a practice qualifies as a financial incentive, and should also cover any in-person data collection at your brick-and-mortar locations.
SixFifty’s Privacy toolset can help you determine how to best handle your organization’s data. We are continuously monitoring this dynamic area of the law and updating our tools with changes in real time. Working with SixFifty is like having top-tier employment lawyers by your side as you work through the best way to comply with your privacy law obligations.
If you are ready to get started or have any questions, schedule a demo with SixFifty today!

Written by Austin Smith
Austin Smith is Vice President of Legal Product at SixFifty, focusing on data privacy products. He translates the myriad consumer privacy laws around the world into plain English to help companies build robust, flexible privacy programs. Whether it’s the CCPA/CPRA in California, upcoming privacy laws in other US states, the GDPR in Europe, or the PIPL in China, Austin crafts...
Full Bio and other articles by Austin Smith
About The Author: Austin Smith
Austin Smith is Vice President of Legal Product at SixFifty, focusing on data privacy products. He translates the myriad consumer privacy laws around the world into plain English to help companies build robust, flexible privacy programs.
Whether it’s the CCPA/CPRA in California, upcoming privacy laws in other US states, the GDPR in Europe, or the PIPL in China, Austin crafts documents and advises on company procedures that comply with each jurisdiction’s requirements.
Education and Experience
Austin earned a Bachelor of Science degree from Brigham Young University in Computer Science, with a minor in Mathematics. He participated in several extracurriculars, including intramural flag football and Parity, the gender-equality club. He also loved taking foreign language classes for fun, inspired in part by two years spent living in Estonia.
After undergrad, Austin decided to become a lawyer instead of a programmer, and headed to the University of Virginia School of Law. Some of his favorite classes included constitutionalism, privacy and surveillance, religious liberty, cybercrime, and public interest law. Austin also served as an Executive Editor of the University of Virginia Law Review, polishing the work of acclaimed legal scholars. He graduated from UVA in 2013.
Before joining SixFifty, Austin worked at law firms in the DC area advising companies ranging from tech titans to small startups on data privacy, cybersecurity, and antitrust issues. He has experience slogging through comprehensive data mapping, assessing gaps in companies’ privacy programs, drafting privacy policies from scratch (and fine-tuning pre-existing ones), negotiating data protection agreements, and training employees on handling requests from consumers exercising their privacy rights. Austin also worked on Capitol Hill at the Congressional Research Service, briefing members of Congress and their staff on privacy and data security issues.
Achievements with SixFifty
Austin’s work at SixFifty makes compliance with a wide variety of data privacy laws easier. He is proud to have had a hand in all of SixFifty’s existing and upcoming privacy products.
In late 2021, when China passed the PIPL, Austin spearheaded the company’s creation of a suite of legal documents (in both English and Chinese) necessary for compliance with the law. In doing so, he coordinated with Wilson Sonsini attorneys and local counsel in China, and completed the project within about a month’s time so as to comply with the statute’s deadline.
Austin has also created data privacy products for the upcoming laws in Virginia, Colorado, and Utah. He routinely updates SixFifty’s tools for privacy compliance in California, the European Union, and the United Kingdom following events as major as Brexit or as mundane as the publication of new regulations. He has learned firsthand that data privacy is a field undergoing rapid development, and he is excited to be able to provide dynamic, up-to-date legal products that keep pace with the law.
Get to Know Austin
When not wading through the arcana of data privacy law for SixFifty, Austin enjoys being a cat-parent to two adorable felines and spending quality time with family and friends. He nerds out with Star Wars, math, and crosswords. He’s more into Bob Dylan’s music than is reasonable for any ‘90s kid.
Austin also loves watching and discussing movies; his favorite is a toss-up among Jurassic Park, 2001: A Space Odyssey, and Airplane!. He loves traveling around the world, with Egypt and Estonia being two of his most memorable destinations.
TL;DR – Austin is serious. Don’t call him Shirley.
Bar Licensed
Virginia
More posts by Austin Smith