Loyalty programs are everywhere. A Starbucks gold card might get you a free shot of syrup or refill on coffee. Your hotel gives you free upgrades and snacks for being a loyal member. When I buy a salad from the cafe downstairs from my office, I punch in my phone number and collect points that, someday, I will cash in for a free roast beef panini and large fountain soda. But now, there’s some concern that such loyalty programs will go the way of the dinosaur under the CCPA.
At first glance, the CCPA seems to allow loyalty programs. Section 1798.125(b)(1) states:
A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
Subsequent subsections clarify that businesses must “clearly describe[] the material terms of the financial incentive program” and the consumers must opt in. The program can also not be “unjust, unreasonable, coercive, or usurious in nature.”
There are a few problems. First, nobody quite knows what this “directly related to the value” section means. If a consumer gives their basic information (name, address, phone number, email address) to a company, is the “value” of that data enough to justify the rewards the company is giving its members? That’s not clear.
Second, it’s highly unlikely that the company gave all the necessary disclosures and received the necessary consent under the CCPA for all of the members currently in the loyalty program. Unless the company complied with all of the requirements of 1798.135, including but not limited to including a “Do Not Sell My Personal Information” button on the opt-in page and a recitation of the consumer’s rights to not have their information sold, then they are likely in violation of the CCPA. Unless the company wants to start over with all of its California resident loyalty members, it might be easier to just scrap the program altogether.
This lack of clarity is making enough people nervous that the Legislature may change the CCPA to specifically exempt loyalty programs through proposed amendment AB 846. AB 846 begins by citing the facts that 1) 80% of adults belong to loyalty programs, 2) loyalty program membership is increasing, and 3) the interestingly worded “Eighty-seven percent of customer loyalty program members say they are open to sharing personal information about their activity and behavior in order to receive more personalized rewards.”
AB 846 would amend the law to state:
This title shall not be construed to prohibit a business from offering a different price, rate, level, or quality of goods or services to a consumer, including offering its goods or services for no fee, if either of the following is true:
(1) The offering is in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discounts, or club card program.
(2) The offering is for a specific good or service whose functionality is directly related to the collection, use, or sale of the consumer’s data.
It isn’t hard to understand the opposition to this, though the committee spelled it out in the legislative comments, sourced from Californians for Consumer Privacy:
[AB 846 would] create an unfortunate choice for consumers: participate in loyalty programs that, in many cases, are almost mandatory from a financial savings perspective, and allow data about your most intimate and personal purchases to be sold; or don’t participate in the program, and pay much more for your food or medicine. […] Data collected pursuant to a loyalty program […] can be used to create profiles that can be used for targeting or discrimination. Moreover, increasingly there are concerns that data about, say, your food choices, will end up in the hands of health or life insurance companies and be used to make decisions about how much you are charged for health and life insurance. [… Also, it] is important to remember that deidentified and aggregate data are not defined as [PI] under CCPA. So, a loyalty program would be able to sell information such as how many male customers buy Pop-Tarts in a given store, and the retailer would be able to send coupons to those customers, all within the legal bounds of CCPA.
In other words, maybe there should be a middle ground between complete exemption from the CCPA (and therefore no protection) and killing the concept of rewards programs as we know it. This isn’t the first time we’ve seen the business community advocate for “clarity” that, coincidentally, weakens portions of the CCPA. Regardless, AB 846 seems likely to pass. It passed 9-0-2 and 18-0 in the Privacy and Consumer Protection and Appropriation Committees. Never doubt how much people love their airline miles.
Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel Zarchy is a civil litigator and privacy attorney in San Francisco, California. Daniel is also a Certified Information Privacy Professional (CIPP/US). The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views or opinions of any other party or law firm.
Latest posts by Daniel J. Zarchy
(see all) Like this:
Like Loading...