CCPA Privacy FAQs: Is a business required to provide a privacy notice in conjunction with a loyalty program?

Generally, yes.

To the extent that a loyalty program collects personal information, it is required to provide a privacy notice consistent with the CCPA.

One of the rights granted to individuals under the CCPA is the right to be informed about the collection and use of personal data.1  A privacy notice (sometimes referred to as a privacy policy or information notice) is a document provided by a company to data subjects that includes, among other things, a description of what types of personal data the company collects, how the company uses the data, with whom the company shares the data, and how the company protects the data.  The CCPA requires that a business subject to the Act’s jurisdiction “inform consumers” about the categories of information collected and the purposes of that collection “at or before the point of collection.”2  The CCPA also requires that a business that posts an online privacy policy include within it certain additional disclosures relating to the rights of California residents, the specific categories of information collected, and the practices that the company has in relation to the sale of information.3