Loyalty programs can be, and are, structured in a variety of different ways. Some programs track dollars spent by a consumer, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.
One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”1 While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program). As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.
In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request. Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:
For more information and resources about the CCPA visit http://www.CCPA-info.com.The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.