Do loyalty programs count as “financial incentives” for the purposes of the CCPA?

Probably not.

The CCPA states that a business may offer “financial incentives, including payments to consumer as compensation, for the collection of personal information . . . .”1  If a financial incentive is offered, the CCPA requires the business to:

  • Notify the consumer of the financial incentive;2
  • Obtain the consumer’s “opt in consent” to the “material terms” of the financial incentive program;3 and
  • Permit the consumer to revoke their consent “at any time.”4

The CCPA also implies that a financial incentive that amounts to a difference in “price, rate, level, or quality of goods or services” might have to be “directly related to the value provided to the business by the consumer’s data.”5

Some retailers have expressed confusion about whether a loyalty program might be considered a financial incentive insofar as such programs typically offer differences in price, level, or quality of goods or services to their members.  The intent of most loyalty programs, however, is not to provide benefits “for the collection of personal information,” but to provide benefits in recognition of (or in exchange for) repeat purchasing patterns.  Any collection of information is ancillary to the purpose of the loyalty program and typically is used by the company either to administer the program or to track accrued benefits.  As a result, a strong argument could be made that most loyalty programs do not qualify as a payment for the collection of personal information and, hence, are not “financial incentive” programs.

For more information and resources about the CCPA visit

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.125(b)(1).

2. CCPA, Section 1798.125(b)(2).

3. CCPA, Section 1798.125(b)(3).

4. CCPA, Section 1798.125(b)(3).

5. CCPA, Section 1798.125(b)(1).