by Monique N. Bhargava, Sarah L. Bruno, and Karim Alhassan
As many retailers know, customer acquisition and retention are a constant challenge, driving businesses to focus on innovating consumer engagement in order to maintain loyalty. As a result, loyalty programs have become more than just a way to increase sales and are transforming into data driven tools that can aggregate the many touch points needed to provide the personalized and curated experiences consumers seek from their favorite brands.
This increased complexity and customization means that businesses have to carefully balance consumers’ expectations around engagement and benefits with their expectations around privacy and transparency, and an ever-evolving regulatory landscape, including guidance from the Federal Trade Commission, state unfair competition laws, and privacy laws. Now, thanks to California, the analysis just got a little more challenging.
New Regulations for Loyalty Programs
In an announcement detailing both an investigative sweep of businesses operating loyalty programs in California and the dissemination of non-compliance letters, California Attorney General Rob Bonta issued a warning shot to retailers. Specifically, AG Bonta underscored that businesses running loyalty programs in California who do not meet the requirements set forth in the CCPA — namely providing a notice of financial incentive to consumers in connection with a loyalty program — will be held to account.
In particular, Bonta highlighted that for all the focus and scrutiny on the privacy harms coming from digitally native companies, “it’s easy to forget that our data isn’t only collected when we go online. We may not always realize it, but these brick-and-mortar stores are collecting our data — and they’re finding new ways to profit from it.” As such, retailers conducting loyalty programs in California should heed this warning by (1) carefully reviewing the requirements set forth in the law; (2) reviewing their data collection practices to determine whether certain compliance obligations are triggered; and (3) periodically monitoring their programs to ensure they are run in manner consistent with the CCPA’s requirements.
Are Loyalty Programs More Valuable Than Ever?
Loyalty programs are one of the most effective arrows in a marketer’s quiver. As this age-old strategy transforms to meet consumer expectations of data-driven personalization, marketers must be ready to confront the associated regulatory risks that arise in the privacy space. This is especially true as different states enact new laws that broadly define personal information and give consumers new rights to their data, such as the right to access, delete and/or correct their data. In the context of loyalty programs, the CCPA is the forefront of these state laws.
The CCPA is notable because it includes obligations associated with “financial incentives.” The CCPA’s final regulations define a financial incentive as “a program, benefit, or another offering, including payments to consumers, related to the collection, retention, or sale of personal information.” When the CCPA was first passed, there was an initial industry debate of whether loyalty programs were to be considered as “financial incentives.” On one side of the argument, loyalty programs function to reward customers for their purchases and engagements with a business, with the collection of data necessary to their operation and arguably a by-product of the program’s main purpose. On the other hand, others have argued that, particularly in light of digital transformation, loyalty programs have become a valuable source of personal data and consumer insight that could be used for many purposes beyond enhancing the consumer experience, including inventory management, attracting brand partnerships, and driving omni-channel traffic.
AG Bonta’s hyper-focus on financial incentives as part of loyalty programs is evident from the target of the enforcement sweep, with the press release specifically stating that the “sweep of notices is part of the California Department of Justice’s ongoing enforcement efforts and focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program as required by the CCPA.” It is a clear message that retailers must familiarize themselves with the law’s requirements and update their programs and disclosures accordingly.
What is Required?
The CCPA requires that companies offering a financial incentive provide consumers with a formal Notice of Financial Incentive. As to its contents and form, the notice “must be designed and presented in a way that is easy to read and understandable to consumers” and should be (1) written in plain, straightforward language; (2) drafted in a conspicuous manner; (3) made available to consumers before they are given the choice to opt in to the program; and (4) reasonably accessible to consumers with disabilities. In addition, the notice must include:
- A succinct summary of the financial incentive or price or service difference offered.
- A description of the material terms of the financial incentive or price or service; difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data.
- How the consumer can opt in to the financial incentive or price or service difference.
- A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right.
- An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including:
- A good faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference.
- A description of the method the business used to calculate the value of the consumer’s data, which can be found on WestLaw.
In addition to the notice of financial incentives that was the focus of the enforcement sweep, AG Bonta recently released an opinion clarifying that “internally generated inferences that a business holds about a consumer are personal information within the meaning of the CCPA, and must be disclosed to the consumer” upon a valid consumer request for personal information. Specifically, information required to be disclosed includes inferences drawn from personal information obtained about the consumer and used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. This is required whether the inferences were drawn from information obtained from the consumer, from public repositories, from a broker, or even inferred from the business’ own algorithms or proprietary processes.
Finally, while the CCPA has taken center stage in the discussions surrounding loyalty programs and privacy, it is important to also note that retailers hosting loyalty programs should still familiarize themselves with the other requirements related to personal information as a result of new state laws in Virginia, Colorado, and Utah. Each of these states have also passed laws that give consumers more control over their personal information and the ability to opt-out of the use of their information by a business for secondary purposes. Given this, any retailer operating a loyalty program should revisit the program terms as well as its privacy policy to ensure it has all the appropriate disclosures included.
What Are the Next Steps?
As explained above, the AG has sharpened his gaze on businesses running loyalty programs who choose to ignore the disclosure obligations mandated by the CCPA and accompanying regulations. Moreover, the investigative sweep and corresponding non-compliance letters demonstrate that the AG’s scrutiny is not reserved for the usual suspects (the tech companies), and include offline programs run by traditional brick-and-mortar retailers. Because of this, it is paramount that the ability to run these programs ― to build lasting customer loyalty ― is protected.
Any business running loyalty programs in California should examine its loyalty program operations to evaluate what financial incentive notices and opt-ins may be needed, including determining how best to calculate such incentives. In light of AG Bonta’s recent opinion, businesses should ensure that they have properly mapped loyalty program data such that California consumers are provided the requisite information in response to their requests for personal information.
Monique (“Nikki”) Bhargava is a partner in Reed Smith’s Global Entertainment and Media Industry Group. She focuses her practice on the convergence of advertising and emerging technology, helping clients navigate advertising and privacy issues in new media, digital marketing and content, social media, adtech and martech. She supports consumers brands, advertising agencies, publishers, media and technology companies in all aspects of their advertising, marketing, and media initiatives, as they innovate to drive consumer engagement.
Sarah Bruno is a partner in Reed Smith’s Global Entertainment and Media Industry Group. Her work involves the cross-section of expertise in the Intellectual Property, privacy and advertising spaces. She is routinely evaluating client products and concepts and developing protection strategies, considering how to collect, use and store any data as a result of the launch, and advising on online and offline marketing tactics, including issues involving the metaverse.
Karim Alhassan is a Reed Smith associate. His practice focuses on assisting clients with their compliance obligations regarding data privacy and security. More specifically, he has experience advising clients on their regulatory obligations stemming from emerging state privacy laws, as well as assisting in the defense of companies subject to regulatory investigations and actions by the Federal Trade Commission.