What rights does a consumer have in relation to a loyalty program under the CCPA?

Loyalty programs are structured in a variety of different ways.  Some programs track dollars spent by consumers, others track products purchased.  Some programs are free to participate in, others require consumers to purchase membership.  Some programs offer consumers additional products, other programs offer prizes, money, or third party products.  Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program” as a practical matter, most, if not all, loyalty programs share two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.1

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, its loyalty program will also be subject to the CCPA.  In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:


Right Applicability to Loyalty Program
Notice at Collection A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.2
Privacy Notice A loyalty program that collects personal information of its members should make a privacy notice available to its members.3
Notice of Financial Incentive To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA, a business should provide a “notice of financial incentive.”4
Access to Information A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.5
Deletion of information A company may generally deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.
Opt-out of sale A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information.  To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner), it would not be considered a “sale” of information.