- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does the CCPA require that the benefits conferred by a loyalty program be “reasonably related” to the value of a consumer’s data to the business?
The CCPA makes clear that a business can offer different prices or rates to consumers as part of a financial incentive program if those different prices or rates are “directly related to the value provided to the business by the consumer’s data.”1 The CCPA does not, however, directly prohibit the offering of a financial incentive if the value provided to the business by the consumer’s data is not “directly related” to the value of the financial incentive.
The CCPA also states that a business may not, through a financial incentive program (or any other activity), discriminate against a consumer because the consumer “exercised any of [their] rights” under the CCPA (e.g., access, deletion, or opt-out of sale), unless the difference in price, rate, or quality that forms the basis of the discrimination is “reasonably related to the value provided to the business by the consumer’s data.”2
In commentary published with the issuance of the regulations implementing the CCPA, the California Attorney General informally suggested that the Act might be interpreted as requiring that the benefit provided by all loyalty programs should be “reasonably related to the value of the consumer’s data to the business.”3 The California Attorney General did not explain, however, the basis for his assertion, and such a position would directly conflict with the text of the CCPA (described above) which applies the “reasonable relationship” test only to situations in which “discriminat[ion]” is prompted by the “exercise . . . of the consumer’s rights.”4 Furthermore, in other statements made by the Attorney General, he concedes that the “reasonable related” standard applies only in the context of discrimination.5
As a result, there is a strong argument that the price or rate discounts offered through a loyalty program do not need to be reasonably related to the value that a business derives from data, so long as the business does not discriminate against a consumer that attempts to exercise a privacy right.
Can a company exclude Californians from a loyalty program?
Some retailers have expressed confusion about whether a loyalty program might be considered a “financial incentive” program under the CCPA. If a loyalty program were classified as a “financial incentive program,” it might, among other things, require the business to confirm that differences in “price, rate, level, or quality of goods or services” offered to consumers are “directly related to the value provided to the business by the consumer’s data.”1
Most loyalty programs have a strong argument that they are not financial incentive programs as the main purpose of the program is to provide benefits in recognition of (or in exchange for) repeat purchasing patterns, and not “for the collection of personal information.” Nonetheless, some retailers have expressed concern that privacy advocates, or plaintiffs attorneys, might attempt to argue that all loyalty programs amount to financial incentives. In order to avoid the cost of defending such an argument, they have considered excluding Californians from the scope of their loyalty programs.
While the CCPA prohibits discriminating against a consumer that exercises one of their rights under the Act,2 the CCPA does not confer a right to join loyalty programs. As a result, a company can elect to exclude Californians completely from loyalty programs in order to avoid the risk that the program might be alleged to be a financial incentive program.
Do all marketing lists discriminate against consumers that exercise a right to be deleted?
The CCPA generally prohibits a business from “discriminat[ing]” against a consumer that chooses to exercise “any of the consumer’s rights” – including the right to be deleted.1 As a result, to the extent that a consumer’s name is included in a marketing list, and the act of deletion would deprive the consumer of an exclusive price, discount, or service offering, a business could be alleged to have “discriminated” against the consumer.
That does not, of course, mean that all marketing lists inevitably lead to discrimination when a deletion request is made. Many – if not most – marketing lists are not structured to lead to a discriminatory outcome. For example, a strong argument could be made that the following types of marketing lists would not cause discrimination when, or if, a consumer exercised a right to be deleted:
- Discounts to join a marketing list. Many businesses offer consumers a discount for joining a marketing list (e.g., “Receive a 10% coupon when you join our mailing list”). Incentivizing a consumer to join a marketing list does not “discriminate against a consumer” that has “exercised any of the consumer’s rights” under the CCPA.2 Specifically if the consumer submits a deletion request after joining the marketing list, and their information is deleted, discrimination has not occurred unless the consumer is denied the ability to utilize the discount that they received when they initially joined (e.g., the 10% coupon).
- Alerts of sales. Many businesses offer consumers the ability to sign up to receive emails or mailings that describe sales or promotions offered by the business (e.g., “Sign up and never miss our sales!”). Notifying a consumer of upcoming sales does not “discriminate against a consumer” that has “exercised any of the consumer’s rights” under the CCPA. 3 Specifically if the consumer submits a deletion request after joining the program, and their information is deleted, discrimination has not occurred unless the consumer is denied the ability to avail themselves of the actual sale or promotion being offered. To the extent that the sales or discounts are available elsewhere (e.g., on the company’s website, or in the company’s store), discrimination arguably has not occurred.
If a business offers a financial incentive when collecting a consumer’s personal information, does it have to estimate the value of the financial incentive?
The CCPA generally prohibits a business from “discriminat[ing]” against a consumer that chooses to exercise “any of the consumer’s rights” – i.e., the right of access, the right of deletion, or the right to opt out of the sale of information.1 An exception to the rule against discrimination arises if a company provides a different price or a different level of service and the difference is “reasonably related to the value provided to the business by the consumer’s data.”2 When that occurs, the CCPA requires that the business “notify consumers of the financial incentives” that are offered, and approximate that the discriminatory “difference is reasonably related to the value provided to the business by the consumer’s data.”3
Unlike situations in which a company discriminates against a consumer that is exercising a privacy right, when a financial incentive is tied to the collection of consumer information the CCPA states only that a business must notify consumers of the financial incentive and comply with the general notice obligations found within the CCPA that apply anytime personal information is collected.4 While a business is required to notify a consumer of any “material terms” that may relate to the financial incentive, it is not required to estimate the value of the financial incentive or show that the value relates to the value of the data to the business.5
CCPA Privacy FAQs: Under the CCPA, can a conference organizer use on-site tracking at their conference for third-party marketing?
On-site tracking refers to the practice of scanning attendees’ badges manually (e.g., bar code) or automatically (e.g., RFID chip in badges read at doorways). Organizers track this information for various reasons, such as to award credit for attending various panels (e.g., continuing education verification) or for their own analytics (e.g., to track session attendance for future room allocation or to determine future programming).
- If the organizer intends to sell the data to third parties, the organizer will need to provide a “Do Not Sell my Information” link in their online privacy notice.
- An organizer may receive a request from an attendee for access to their information. In response to such a request, they may need to disclose all of the data collected about a particular attendee (e.g., locations tracked, activities recorded).
- An organizer may receive a request from an attendee to delete their information. In response to such a request, they may need to have the ability to selectively delete information about the attendee, or to explain to the attendee why such information is not required to be deleted. For example, if the information is being collected for a purpose other than marketing – such as security at the conference – the organizer may be able to deny the request on those grounds.
- If the organizer transfers the personal information to a third party, and allows that third party to use it for their own purposes (e.g., to directly market to California residents), the organizer would have to include a “Do Not Sell My Information” link on their internet home page1 and within any only privacy policies.2 Further, the organizer cannot discriminate against any attendees who opt not to have their information sold by offering them fewer benefits or charging higher prices.3
Co-authored by Jason Schultz
CCPA Privacy FAQs: If a business voluntarily honors the deletion request of a loyalty program member, is it violating the CCPA?
Typically, businesses are not required to delete information maintained as part of a loyalty program in response to a right to be forgotten request. Some businesses, however, may consider voluntarily agreeing to a right to be forgotten request in order to confer upon consumers greater control over their data.
Based upon the current drafting of the CCPA, voluntarily agreeing to a right to be forgotten request may raise unintended complexities. Specifically, the CCPA states that a business “shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights” under the Act.1 Among other things, the CCPA provides the following examples of discrimination under the statute:
- Denying “goods or services” because the consumer exercised a deletion right;2
- Charging “different prices or rates for goods or services” because the consumer exercised a deletion right;3
- Charging different rates “through the use of discounts or other benefits” because the consumer exercised a deletion right;4 or
- Providing “a different level or quality of goods or services” because a consumer exercised a deletion right.5
In the context of a loyalty program, a potential conflict arises if an individual requests to be forgotten. If the business voluntarily honors such a request, the consumer’s participation in the loyalty program would presumably need to be terminated as the business would no longer have data about the consumer needed to track purchases and provide loyalty-related benefits. For loyalty programs that provide free products or services, termination could lead a consumer to argue that they were either “den[ied] goods or services” or “charg[ed] different prices or rates . . . through the use of discounts or other benefits.”6 While some businesses might attempt to mitigate inadvertent harm by warning consumers that an inevitable consequence of a deletion request would be the loss of value, or the loss of benefits, associated with the loyalty program, the CCPA specifically prohibits a business from “[s]uggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services” if the consumer were to exercise one of their rights.7 That prohibition seemingly puts a business between a rock and a hard place. If they honor the consumer’s request, they may be accused of unlawful discrimination by denying the benefits of the loyalty program as a result of the exercise of the consumer’s rights. If they warn the consumer of the inevitable consequence of a deletion request, the business could be accused of violating the CCPA by suggesting that the exercise of a right will lead to the loss of a benefit.
To the extent that the California Attorney General argues that the act of exercising a deletion request leads to a form of “discrimination,” the CCPA provides an affirmative defense that may be available to some loyalty programs. The CCPA states that, notwithstanding the anti-discrimination prohibition within the Act, a business may charge a different price or rate, or provide a different level of quality or service, if that “difference is reasonably related to the value provided to the business by the consumer’s data.”8 The CCPA does not, however, set forth a standard by which courts should judge whether the difference in price or quality is “reasonably related.” Nor does the CCPA set forth a methodology for how a business should calculate the value provided to it by the consumer’s data.
The net result is that there remains a great deal of uncertainty concerning the practical ability of a business to rely upon the “business value” exception. Specifically, it remains to be seen whether courts will (1) assign the burden to a plaintiff to prove the value of data to a business, or assign the burden to a business to prove the value to the business of the data, (2) perceive the question of whether two values are “reasonably related” to be a question of fact suitable for juries, and/or (3) establish a consistent methodology for calculating the value of data to a business.
CCPA Privacy FAQs: Is a business prohibited from giving discounts to loyalty program members?
The CCPA prohibits a business from charging different “prices or rates” or offering “discounts, or other benefits” based upon whether a consumer “exercised any of the consumer’s rights” under the Act.1 The Act does not confer a right to join (or not join) a loyalty program. As a result, the CCPA does not, on its face, prohibit a loyalty program from charging different prices or offering discounts to loyal consumers.
Some retailers have expressed concern that the CCPA may indirectly prohibit a business from charging different prices through a loyalty program because members of a loyalty program may exercise their right to request the deletion of their information. The specific concern is that if a loyalty program honored a deletion request, it would be forced to stop providing a benefit and thus could be accused of price discrimination. Such concern is unfounded in the context of most loyalty programs. Specifically, most loyalty programs are not required to honor most deletion requests. If a loyalty program chooses to honor a deletion request, there are several steps that can be taken to ensure that a consumer is not disadvantaged because of that election.
CCPA Privacy FAQs: Does a loyalty program benefit have to relate to the value provided to a business by consumer data?
The CCPA provides as an exception to its prohibition against discrimination situations in which a “price or difference” is related to the value provided to a business by the consumer’s data.1 While some retailers have suggested that this exception may require that all retailers explain how the benefits of their loyalty program relate to the value to a business of loyalty-program-members data, such an interpretation overlooks the fact that the anti-discrimination provisions of the CCPA only require that a business does not discriminate against a consumer that exercises a right under the CCPA. As joining a loyalty program is not, in and of itself, a right, a business is not required to explain how the benefits offered by the loyalty program relate to the value provided to the business by consumer data.
Stop the CCPA Fearmongering: Loyalty Programs Will Survive
Anytime a new statute or regulation comes along, some law firms unfortunately flag issues that may not be of true concern to companies, or highlight problems that may not, in fact, exist. Unfortunately, that continues to happen in connection with the California Consumer Privacy Act (“CCPA”). In the context of retailer loyalty or reward programs, firms have said that the CCPA may spell the “end of loyalty programs,” or implied that the CCPA could lead to “the potential elimination of loyalty programs due to the nondiscrimination requirements.” Some law firms have gone so far as to advise retailers to “address the issue[s]” caused by their loyalty programs by “not offer[ing] preferential pricing through loyalty programs” or by “mak[ing] loyalty program pricing available to all customers” regardless of whether they are, in fact, members of the loyalty program. Such changes would, of course, destroy the business-case for having a loyalty program in the first place.
These concerns are incorrect and demonstrate a lack of understanding of the requirements of the CCPA. While the Act is, without a doubt, flawed, poorly drafted, and prone to misinterpretation, it does not lead to the conclusion that most loyalty programs are inherently problematic, nor should it cause most retailers to drastically change the terms and structure of their program. The hyperbolic treatment of loyalty programs by some law firms may also have contributed to several companies and industry groups echoing these concerns with the California legislature and the California Attorney General and alleging (incorrectly) that “the CCPA may prevent marketers from offering loyalty programs,” or that the CCPA, as currently written, prohibits “tiered pricing, discounts or coupons.”
The following dispels five (mis)statements that have been made in connection with the CCPA’s impact on loyalty programs.
1. Myth: The CCPA prohibits “charging different prices or rates for goods or services.”
It does not.
The prohibition against price discrimination in the CCPA only applies to situation in which a consumer exercises a right conferred by the CCPA. Nothing within the CCPA confers a right to join (or not join) a loyalty program. For more information, see FAQ: Is a business prohibited from giving discounts to loyalty program members?
2. Myth: The CCPA states that the benefit provided to the consumer through a loyalty program must be reasonably related to the value provided to the business by the consumer’s data.
It does not.
As indicated above, the CCPA prohibits a business from engaging in price discrimination when a consumer exercises a right under the CCPA. The CCPA provides an exception to that prohibition when the discrimination relates to a “price or difference” that is related to the value provided to a business by the consumer’s data.1
While some lawyers have misinterpreted this as requiring that all loyalty program benefits be related to the value provided to the business by the consumer’s data, as noted above, the operation of the loyalty program itself is not prohibited by the CCPA and, thus, does not require the benefit of this exception.
For more information, see FAQ: Does a loyalty program benefit have to relate to the value provided to a business by consumer data?
3. Myth: Businesses must honor deletion requests for loyalty members.
They generally do not.
One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”2 While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program). As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.
In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.), there are several exceptions to the CCPA which would allow a business to refuse a deletion request. For more information about each of those exceptions, and a description of how they apply to most loyalty programs, see FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an active member? and FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an inactive member?
4. Myth: Businesses that offer loyalty programs must include a “do not sell my personal information” link.
The net result is that if a business sells loyalty program information, the business must disclose that fact and then include a “Do Not Sell” link; if a business does not sell loyalty program information, the business is not required to include such a link.
For more information go to FAQ: Is a business required to post a “do not sell” link if it offers a loyalty program?
5. Myth: Businesses that allow consumers to redeem points with third parties are selling information.
They generally are not.
The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.4 In the context of loyalty programs, it is not unusual for the operator of a loyalty program to enter into an agreement with a business partner (e.g., another company) to permit a consumer to redeem points accumulated through the loyalty program of business A in order to receive goods or services provided by business B. For example, a hotel may have an agreement with a car rental service through which a consumer can redeem hotel loyalty points to receive a free car rental.
Such redemption arrangements may require the disclosure of personal information from one business (e.g., business A) to a second business (e.g., business B), and may include the payment of money or other consideration for the ability to receive advertising or promotion as a rewards provider. As a result, and depending upon the structure of the business relationships, it is possible that, at first glance, the arrangement could fit the definition of “sale” under the CCPA.
Assuming that the transfer of information to a redemption partner did satisfy the definition of a “sale,” the CCPA contains an exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information.”5 As a result, if a consumer uses a loyalty program in order to interact with another business, or directs a loyalty program to disclose personal information as part of a points redemption, the loyalty program operator arguably has not “sold” information.