What is loyalty? Ask a mob boss, a Los Angeles Lakers fan and a Labrador retriever, and you might get three different answers. Ask a retailer, and they’ll likely tell you that a loyalty program can be a great tool for rewarding their best customers and helping drive further purchases. But with these benefits come privacy compliance costs, including under some unique provisions of the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA).

While both the CCPA and the CPA regulate personal information used for loyalty programs, they go about it in somewhat different ways. The CCPA also appears to have a broader scope in terms of the types of activities it regulates. As this is an area of active enforcement under the CCPA and a likely focus for enforcement under the CPA, understanding when these rules apply and what they require is critical to compliance.

A. Definitions and Comparative Scope

  1. Colorado

The CPA regulations define a “Bona Fide Loyalty Program” as “a loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing Bona Fide Loyalty Program Benefits to Consumers that voluntarily participate in that program, such that the primary purpose of Processing Personal Data through the program is solely to provide Bona Fide Loyalty Program Benefits to Consumers that voluntarily participate.” A “Bona Fide Loyalty Program Benefit” is “an offer of superior price, rate, level, quality, or selection of goods or services provided to a Consumer through a Bona Fide Loyalty Program. Such benefits may be provided directly by a Controller or through a Bona Fide Loyalty Program Partner.” A “Bona Fide Loyalty Program Partner” is a Third Party (as defined by the CPA) that provides Bona Fide Loyalty Program Benefits, either alone or jointly with the business. Putting these terms together, a “Bona Fide Loyalty Program” has four key components, which are

  1. a loyalty, rewards, premium feature, discount or club card program
  2. established for the purpose of providing a superior price, rate, level, quality or selection of goods or services
  3. to consumers who voluntarily participate
  4. such that the primary purpose for processing the consumer’s personal information is solely to provide loyalty program benefits.

This definition appears targeted at traditional loyalty or rewards programs in which consumers sign up to receive points, discounts or other benefits on an ongoing basis when they make qualifying purchases. Given that a program must meet each of the four criteria described above to qualify as a Bona Fide Loyalty Program, the definition does not appear intended to sweep in all circumstances in which a consumer provides a business with personal information in order to receive a discount or other type of benefit. For example, a general marketing distribution list that may involve sending coupons or information about sales to consumers who provide their email addresses may not meet all the criteria necessary for the offering to be treated as a Bona Fide Loyalty Program. This interpretation is further supported by the examples of Bona Fide Loyalty Programs within the Regulations, which concern a hypothetical grocery store loyalty program, a hotel chain points program, and a retailer offering discounts based on consumers’ purchase histories.

2. California

By contrast, the CCPA regulations define a “Financial Incentive” as a “program, benefit, or other offering, including payments to consumers, for the collection, retention, or sharing of personal information. Price or service differences are types of financial incentives.” Although the California attorney general’s enforcement of Financial Incentives has focused on loyalty programs and the CCPA includes compliant “loyalty, rewards, premium features, discounts, or club card programs” as examples of offerings that can be provided without violating the CCPA’s nondiscrimination provision, a traditional loyalty program is not necessarily the only type of Financial Incentive under the CCPA. According to the attorney general, “[u]nder the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive.” The potential applicability to discounts or free items that require the collection, retention or sharing of personal information implies that the scope of what counts as a Financial Incentive under the CCPA may be broader than a Bona Fide Loyalty Program under the CPA.

3. Key Requirements for Compliance

Both the CCPA and the CPA affirmatively authorize businesses to offer financial incentives and loyalty programs so long as they satisfy certain rules. However, the CCPA and the CPA regulations differ in terms of what they require of businesses that offer a Bona Fide Loyalty Program or a financial incentive.

  1. Notice

The CCPA and the CPA require specific notices covering financial incentives and Bona Fide Loyalty Programs, respectively. Although the motivation behind these rules appears to be a shared goal of transparency, the specific requirements differ significantly. The information required to be included in a California Notice of Financial Incentive and a Colorado Bona Fide Loyalty Program disclosure is detailed in a chart here.

As can be seen in the chart, the required disclosures do not directly overlap. Broadly, the CCPA regulations are far more concerned with the economics of a financial incentive (and even include specific rules governing how to calculate the value of personal information), whereas the CPA regulations focus more on disclosures of personal information to third parties. Due to the differences in disclosure requirements, businesses subject to both laws will need to decide whether to create separate loyalty notices for California and Colorado or combine them in a single, expanded notice directed to consumers in both states. Notably, none of the other state comprehensive privacy laws passed to date include specific disclosure requirements focused on loyalty programs or financial incentives.

2. Consent

The CCPA provides that a business “may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent . . . that clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.” By contrast, the CPA does not include additional consent requirements for enrollment in a Bona Fide Loyalty Program, though by definition, participation in a Bona Fide Loyalty Program must be “voluntary.” A business must obtain consent from Colorado consumers before processing their sensitive data in connection with a Bona Fide Loyalty Program or using personal information for a secondary purpose; however, both of these circumstances involve general rules that also apply outside the context of loyalty programs.

3. Impact on Data Subject Rights

The CPA expressly envisions that there may be situations where a consumer’s decision to exercise a data subject right – in particular, a request to delete personal information, a request to opt-out of sales of personal information or a refusal to consent to processing sensitive data – makes it impossible for the business to provide all the benefits associated with the bona fide loyalty program. Although each right is addressed by a separate rule, as a general principle, when a consumer exercises their data subject rights, the business may stop providing impacted loyalty program benefits but must continue to provide any benefits that do not require the personal information impacted by the consumer’s data rights request. This necessitates a nuanced understanding of which elements of data are needed for which types of benefits, as it would not be sufficient to terminate a consumer’s loyalty account when they exercise their privacy rights unless all data involved is impacted by their request.

Moreover, the CPA imposes certain timing requirements on businesses when a consumer exercises a right that affects membership in a loyalty program; the business will have 24 hours prior to discontinuing the loyalty program benefit or membership to inform the consumer of the same and must also provide a reference or link to the Bona Fide Loyalty Program Disclosure.

The CCPA is less specific about the impact of data subject requests on loyalty program benefits or other financial incentives, but a consumer’s request to delete data needed to provide loyalty program benefits would likely fall within the exception under Cal. Civ. Code § 1798.105(d)(1) for information needed to “provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.” Indeed, the CCPA regulations include the following example:

A clothing business offers a loyalty program whereby customers receive a $5-off coupon by email after spending $100 with the business. A consumer submits a request to delete all personal information the business has collected about them but also informs the business that they want to continue to participate in the loyalty program. The business may deny their request to delete with regard to their email address and the amount the consumer has spent with the business because that information is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’s ongoing relationship with them pursuant to Civil Code section 1798.105, subdivision (d)(1).

This outcome (in which the business retains the personal information and the consumer remains enrolled in the program) appears to be the opposite of that intended by the Colorado regulations (which call for ending the consumer’s enrollment in the program, subject to 24 hours’ notice).

The CCPA regulations also include this example:

A grocery store offers a loyalty program whereby consumers receive coupons and special discounts when they provide their phone numbers. A consumer submits a request to opt-out of the sale/sharing of their personal information. The retailer complies with their request but no longer allows the consumer to participate in the loyalty program. This practice is discriminatory unless the grocery store can demonstrate that the value of the coupons and special discounts are reasonably related to the value of the consumer’s data to the business.

With these examples in mind, businesses should carefully assess the impact of an individual privacy rights request on a loyalty program or other financial incentive in which the consumer participates. This requires examination of whether specific types of data or processing are necessary to continue providing the benefits as well as the CCPA’s requirement that the value of the benefits be reasonably related to the value of the consumer’s personal information. Moreover, the outcome in terms of deleting or retaining relevant data may differ by state.

4. Enforcement Risk

The California attorney general has actively enforced the CCPA’s financial incentive rules against many businesses. Although the updated regulations promulgated by the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act (CPRA) made modest changes to the financial incentive rules, it is likely the CPPA and the California attorney general would consider the revised rules fully enforceable, even in advance of the July 1 enforcement deadline provided for new rules under the CPRA. Alternatively, either California enforcer could bring an action based on an alleged violation of the prior version of the rules. Enforcement under the CPA remains more of an unknown, though given the detail included within the CPA regulations, it appears Bona Fide Loyalty Programs are an area of interest for the Colorado attorney general. In the event of an enforcement, the CPA’s right to cure might allow a business to resolve an alleged violation, depending on the nature of the issue.

5. Conclusion

In some ways, the CPA appears to take a more measured approach to Bona Fide Loyalty Programs than do the CCPA’s rules on financial incentives. However, both states impose unique requirements that businesses must follow for in-scope activities, raising the overall compliance burden for businesses subject to both laws. Businesses that operate programs for consumers that involve the collection of personal information in exchange for a benefit should assess the applicability of these specialized rules and prepare appropriate notices and procedures to comply with them.