California has two statutes that apply to the sale of information – The California Shine the Light Law and the California Consumer Protection Act.
The California Shine the Light Law applies to companies that have a business relationship with a consumer that is “primarily for personal, family, or household purposes” and that collect personal information online.1 As a result, the statute generally applies to B2C loyalty programs that are operated online. If the statute applies, it generally requires that a business that allows third parties to use information collected from consumers for the third parties’ own direct marketing tell consumers how they can request more information concerning the identity of those third parties.2 It is important to note, however, that if a business does not sell personal information (or allow other third parties to use personal information for their direct marketing), the business is not required to make an affirmative statement to that effect. In other words, if a loyalty program provides personal information to other companies and allows those companies to market products and services to consumers, the statute requires that the company discloses that fact; it does not require a loyalty program that does not share information with third parties for their own use to make any disclosures.
The net result is that if a business sells loyalty program information, the business must disclose that fact and then include a “Do Not Sell” link; if a business does not sell loyalty program information, the business is not required to include such a link.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.