On March 11, the California Attorney General released revised draft regulations for the California Consumer Privacy Act (CCPA). This third version of the revised regulations is available here. The comment period for those proposed changes ended on March 27. If you’re reading this blog you likely have some familiarity with the CCPA, but if you’ve been fortunate enough to avoid the nitty gritty of the sweeping privacy law, you can catch up with the coverage at our sister blog, the Data Privacy Monitor. In this post, we want to focus on an area that has been the topic of much consternation: loyalty programs.

As meat has been added to the bones of the CCPA through the proposed regulations, many commenters have feared that the Title’s requirements would effectively eliminate loyalty programs in California. While the CCPA will regulate loyalty programs and require certain compliance steps, it won’t shut down most programs.

A loyalty or rewards program is subject to restrictions under the CCPA’s regulations if it is a “financial incentive” under that law. Financial incentives that impact CCPA rights are considered discriminatory and must meet certain requirements in order to operate. The regulations define a “financial incentive” as “a program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.” What this effectively means is that a program is governed by the CCPA only if it requires an individual to waive some or all of his or her CCPA rights in order to participate. A program can still request that participants waive a CCPA right, but if it excludes participants who choose to exercise their CCPA rights, then it will be subject to additional restrictions. The regulations provide the below example, in which a loyalty program denies members the right to opt out of the sale of their personal information (PI), making it a financial incentive.

A grocery store offers a loyalty program whereby consumers receive coupons and special discounts when they provide their phone numbers. A consumer submits a request to opt out of the sale of their personal information. The retailer complies with the request but no longer allows the consumer to participate in the loyalty program.

In this example, the grocery store’s program would be considered a financial incentive and as a result subject to the requirements in the regulations. However, this does not mean that requiring membership in the loyalty program is itself a limitation on CCPA rights. There are exceptions provided within the CCPA for when a business may deny a consumer’s request to know, request to delete or request to opt out. For example, Section 1798.105(d) of the Title provides three exceptions to the right of deletion that should permit limiting deletion of PI to the extent necessary to provide program benefits, so long as the PI is used only for that purpose and not for something else like marketing:

  • To complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
  • To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
  • To otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

An example added to the second version of the regulations illustrates this:

A clothing business offers a loyalty program whereby customers receive a $5-off coupon to their email address after spending $100 with the business. A consumer submits a request to delete all personal information the business has collected about them but also informs the business that they want to continue to participate in the loyalty program. The business may deny their request to delete as to their email address and the amount the consumer has spent with the business because that information is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’ ongoing relationship with them ….

This would not, however, be the case where the email was retained for unrelated purposes such as to send marketing or to create segments for custom ad delivery on social media platforms. On the other hand, where a program benefit is a monthly promotional flyer with coupons, use of the email for sending that flyer would be a program benefit that could be distinguished from marketing unrelated to program operations. Marketing as related to loyalty programs will need to be carefully scrutinized to see what side of the fence it falls on – program operations or waiver of rights. For example, permitting an opt-out of non-program marketing while retaining program benefits would be enough to exclude the program from being a regulated financial incentive under the CCPA.

The takeaway is that a loyalty program is not subject to further restrictions under the regulations if members are permitted to delete their data for purposes other than program administration, and their rights “to know” (i.e., access their personal information) and to opt out of third-party commercial transfers (i.e., do not sell) are not encumbered by program requirements. However, if the program does limit CCPA rights, then for it to be legal under the CCPA the company must (a) establish that the program’s benefits are reasonably related to the value of the PI that is subject to the CCPA limitations; and (b) comply with the CCPA’s and regulations’ provisions regarding operation of offering financial incentives for limitation of CCPA rights, which include certain notices in the privacy policy, express opt-in, and the ability to opt out and regain all CCPA rights.

Arguably the most difficult requirement is the establishment of the reasonable value exchange. The proposed regulations at Section 999.337 lay out eight acceptable valuation methodologies, and Section 999.307(b)(5) requires that the companies’ privacy notice describe the method used to calculate the value of the consumer’s data. Methods 1–7 all rely on objective and quantifiable valuation measures, such as what a company receives for the sale of the data or the cost of the incentive(s) provided. Some incentives may not lend themselves to such types of measurement, especially where the company’s use of the personal information is entirely internal. For example, where a consumer must continue to consent to receive non-program marketing from the company to maintain loyalty program benefits, and benefits are largely intangible and/or vary significantly as between consumers, it may be difficult to establish a quantifiable pecuniary value.

There are two sections of the proposed regulations that provide companies some help in meeting the valuation requirements in such situations. First, Section 999.337(b) provides that “[f]or the purpose of calculating the value of consumer data, a business may consider the value to the business of the data of all natural persons in the United States,” not just of California consumers or any particular consumer. Further, method 8 is a broad catch-all – “[a]ny other practical and reasonably reliable method of calculation used in good faith.” It is a fundamental principle of contract law that, absent extraordinary circumstances like duress, when two parties knowingly exchange consideration as part of an agreement, the consideration exchange will be deemed reasonable and the contract enforced. Accordingly, it is submitted that if methods 1–7 cannot be effectively applied under the circumstances, and if all the terms of the incentive program were meaningfully explained to consumers and all consumers had an equal ability to accept the terms and obtain the incentive, then the nature of the arm’s-length agreement should serve as a practical and reasonable measure that the value of the personal information subject to terms that restrict the CCPA rights the consumer knowingly waived in order to be in the program is reasonably related to the value of the incentives received. This is even more so given that the CCPA and the regulations require detailed notice of the incentive terms and an affirmative opt-in acceptance, along with the ability to opt out of the program at any time. Of course, if the terms were not clearly explained so as to be knowingly accepted, or are otherwise unconscionable, the exchange of value (i.e., consideration) could not stand. That should not be the case with customary retailer loyalty programs, and thus many programs should be able to rely on method 8 to support consumer opt-in to clearly and conspicuously notified terms that identify what the participant is receiving and giving up in exchange.

Accordingly, the CCPA does not mean the end for loyalty programs – the sky is not falling. But it does create more complexity for companies seeking to maintain compliant loyalty or rewards programs. Terms need to be clearly explained, including the specifics of any CCPA rights limitations necessary to continue receiving program benefits, and of what those benefits are. The terms need to explain the basis for determining that the incentive is reasonably related to whatever limitations on CCPA rights are required, and if the company is relying on method 8, in whole or in part, the terms should include an acknowledgement by the participant that the consumer accepts the incentives as a fair and reasonable exchange for the limitations on CCPA rights. Consumers must then affirmatively accept those terms and be informed of how they can withdraw that opt-in at any time.

In the coming weeks, the regulations are expected to become final. There could conceivably be some additional changes to the provisions on financial incentive programs. Once the regulations are final, and before the July 1, 2020 date that commences enforcement of the CCPA, companies with loyalty programs should look at their program terms, including benefits, limitations on CCPA rights, and subscription and termination provisions, and ensure that the program is CCPA compliant. This may entail requiring California participants to receive better notice of program terms and to affirmatively accept them to remain in the program. We’ll keep you updated on CCPA developments. If you have a loyalty program open to California consumers, contact your BakerHostetler attorney concerning whether there are any steps you need to take.