United States: California Attorney General sets sights on consumer loyalty programs for CCPA enforcement

In brief

On "Privacy Day" - California Attorney General Rob Bonta announced an investigative sweep targeted at the data collection practices of businesses running consumer loyalty programs in California and issued notices of non-compliance to a number of "major corporations" in the retail, home improvement, travel, and food services industries. Such loyalty programs offered financial incentives to consumers (e.g., discounts, free items, and other rewards) in exchange for their personal information.


Under the California Consumer Privacy Act of 2018, as amended by the Consumer Privacy Rights Act of 2020 (CCPA), businesses must not discriminate against consumers who exercise their rights to information deletion or object to the selling or sharing of their personal information. At the same time, businesses shall not be prohibited under the CCPA from "charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer's data" or "from offering loyalty, rewards, premium features, discounts, or club card programs".

The California Attorney General promulgated in 2020 regulations that a business that offers a financial incentive or price or service difference shall provide a "notice of financial incentive" with prescribed disclosures, in addition to "at collection notices", which businesses must generally provide at or before the time they collect personal information from consumers. In the "notice of financial incentive", businesses must disclose material terms of incentive programs, including the value of the consumer's information.

In the recent enforcement actions concerning failures to provide notices of financial incentive, the California Attorney General offered the businesses 30 days to come into compliance with the CCPA before further enforcement actions would be commenced (as is currently required under the CCPA). In a press release issued by the office of the Attorney General, Bonta "urge[d] all business[es] in California to take note and be transparent about how you are using your customer's data", signaling an intent to prioritize enforcement of loyalty and other similar consumer programs moving forward.

The notice of financial incentive must clearly describe the material terms of the financial incentive program, be readily available before a consumer opts in, and inform consumers that they may opt-out at any time. Specifically, a business must include the following in the notice:

  1. A succinct summary of the financial incentive or price or service difference offered.
  2. A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer's data.
  3. How the consumer can opt-in to the financial incentive or price or service difference.
  4. A statement of the consumer's right to withdraw from the financial incentive at any time and how the consumer may exercise that right.
  5. An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer's data, including:
    1. A good-faith estimate of the value of the consumer's data that forms the basis for offering the financial incentive or price or service difference.
    2. A description of the method the business used to calculate the value of the consumer's data.

It is clear that the notice of financial incentive must include how a consumer can "opt-in" (a term not defined in the CCPA), which should not be conflated with a requirement under the CCPA to obtain consent (a defined term in the CCPA). Many financial incentive programs require terms of use and thus a need for an agreement involving some form of consent, anyhow (and in such cases, a separate consent could be added), but there are contexts where companies ask for personal information that may trigger a requirement for a financial incentive notice where terms and conditions may not be required. Per Cal. Civ. Code Section 1798.125, a business may enter a consumer into a financial incentive program only if the consumer gives the business prior "opt-in consent" pursuant to Cal Civ. Code Section 1798.130. But the reference to 1798.130 is confusing because 1798.130 does not provide for how to obtain opt-in consent and, as amended, section 1798.130 has a heading of "notice, disclosure, correction, and deletion requirements". If the reference is to be given any meaning, it supports that consent is not required before first enrolling a consumer in a financial incentive program because 1798.130(a)(5)(A) requires that businesses include in their CCPA online policy a description of a consumer's rights pursuant to 1798.125 and methods for submitting requests. There are other possible readings of the CCPA on this point. But the CCPA generally does not require opt-in consent for data collection and has an opt-out structure with regards to selling personal information. It would seem logical that the drafters of the CCPA meant for a similar opt-out regime with respect to financial incentive programs to apply (where opt-in consent and waiting 12 months is only required after someone first opts out). And the title of 1798.125 has been amended to say "consumer's right of no retaliation following opt-out or exercise of other rights", which would seem supportive of such interpretation.

Businesses now face the difficult task to estimate the value of consumers' personal information. They should carefully consider all implications from an accounting, tax and litigation perspective. For example, once a business publishes a value pertaining to personal information, the stated value will likely be considered in unrelated contexts and disputes such as data security breaches, trade secret misappropriation, breaches of marketing collaboration contracts with business partners, unclaimed property compliance (escheat), or transfer pricing arrangements in multinational groups. Courts will not be bound by the business's valuation, of course, but adversaries may hold a published valuation number against a business as an admission of value and make it difficult to argue for a different valuation.

Our team is monitoring developments as the cure period for compliance provided in the notice nears expiration. Should you have questions in the meantime, please reach out to our team or your Baker McKenzie contacts for additional information. 

Copyright © 2023 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.