Businesses Using Loyalty Programs Receive Notice from California AG

In a press release from the California Office of the Attorney General, AG Rob Bonta has announced an investigative sweep of businesses that use mobile apps and which have allegedly either failed to offer any mechanism for opting out of the sale of personal data, or failed to comply with the opt-out requests of consumers. 

On the 28th of January, on Data Privacy Day, letters were sent by the AG to businesses that have loyalty programs in place, with a focus on those using apps in the travel, retail, or food service industry, granting them a cure period of 30 days for the alleged violations of the CCPA. Another point of focus here was on businesses that have received opt-out requests from consumers but have failed to process these within the mandatory period of time. 

The CCPA has been in force since 2020, giving California residents the right to opt out of the sale of their personal data, with covered businesses having 15 days at their disposal to process a request for this. The way to be compliant with this is that your website has to have an easily accessible and visible link called “Do Not Sell My Personal Information” that allows consumers to opt out of this. With the CPRA regulations, in force as of January 1st, 2023, this obligation is now more in the spotlight than ever before, as it supplements the initial obligation with the addition of the right to also opt out of the sharing of personal information. As such, the previous link now becomes “Do Not Sell or Share My Personal Information.”

Under CCPA, businesses are allowed to offer consumers financial incentives in exchange for collecting personal information through the use of loyalty programs, but they also have to provide proper notice of all the relevant details, such as “a notice of financial incentive if profiting from the collection of customers' personal information.” and obtain the opt-in consent of consumers, prior to the start of the program. 

AG Rob Bonta stated: 

“In the digital age, it’s easy to forget that our data isn’t only collected when we go online. It's collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store.”

This emphasizes not only the online data collection, but also the offline, when consumers fill out a printed form. AG Bonta concluded his statement with the following: 

“I urge all businesses in California to take note and be transparent about how you're using your customer's data. My office continues to fight to protect consumer privacy, and we will enforce the law.”

The main takeaways in light of all of the above would be the following: 

• Businesses that engage in targeted advertising must offer a Do Not Sell My Personal Information mechanism, otherwise they risk being behind on compliance. This is especially important with the enforcement of the CPRA requirements. 

• Once your business has put in place an opt-out mechanism, you need to proceed with addressing consumer requests within the allotted time. 

• If your business uses a mobile app, you need to keep in mind that these can access a wide range of sensitive data, such as a consumer’s precise geolocation. This means California’s regulators will pay special attention to such apps and consequently to the way you drive compliance.