October 11, 2019
Authored by: Bryan Cave and David Zetoony
Loyalty programs can be, and are, structured in a variety of different ways. Some programs track dollars spent by a consumer, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.
One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.” While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.
As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program). As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.
In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request. Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:
|Exception||Description of Exception||Applicability to Loyalty|
|Complete a Transaction||If personal information is maintained because it is necessary for a business to complete a transaction with the consumer, a business is not required to honor a deletion request.2
|✓ Personal information is often needed by a company that offers a loyalty program in order to complete a transaction requested by a consumer in connection with the program. For example, if a consumer were to request to redeem loyalty points, a business may need to keep the consumer’s information in order to fulfill the request (e.g., to send earned products or services).|
|Provide a good or service||If personal information is maintained because it is necessary for a business to “provide a good or service requested by a consumer,” a business is not required to honor a deletion request.3||✓ Personal information is arguably needed in order to provide the service originally requested by the consumer – i.e., the operation of the loyalty program to which the consumer opted to become a member.|
|Detect wrongdoing.||If personal information is maintained because it is needed to detect security incidents, or “protect against malicious, deceptive, fraudulent, or illegal activity,” a business is not required to honor a deletion request.4
|✓ Personal information is often needed by a loyalty program sponsor to protect against deceptive and fraudulent activity such as multiple accounts being created by a single consumer, or attempts to double count purchases or benefits.|
|Repair errors.||If personal information is maintained because it is necessary for a business to “identify and repair errors that impair existing intended functionality,” a business is not required to honor a deletion request.5
|✓ Personal information is often needed by a loyalty program sponsor to identify any errors in its process for collecting, maintaining, or tracking accumulated points or value.|
|Internal uses aligned with consumer expectations.||If personal information is maintained because it is necessary for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” a business is not required to honor a deletion request.6||✓ Personal information is often needed by a loyalty program sponsor for numerous uses that are aligned with the expectation of the consumer at the time that they supplied information to the business. These typically include the operation of the rewards program, internal accounting relating to members’ accrued points, internal accounting relating to members’ requested benefits, auditing, and improving the operation of the overall program.|
|Internal uses aligned with the context of collection.||If personal information is maintained “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” a business is not required to honor a deletion request.7||✓ Personal information is often used by a loyalty program in a manner that is compatible with the context in which the consumer provided the information. Such contexts are often disclosed in a loyalty program’s privacy notice and include the operation of the rewards program, internal accounting, auditing, and improving the operation of the overall program.
|Comply with legal obligations.||If personal information maintained by a business is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.8||✓ Personal information is often maintained in order to comply with tax, escheatment, and corporate accountability laws.|
The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.
CCPA Privacy FAQ: Is a business required to provide access to all information about the consumer maintained through a loyalty program?
Some of the rights conferred by the CCPA are limited to data collected “from the consumer,” whereas other rights apply to data “collected about” a consumer. Access rights are part of the latter category. As a result, if a business receives an access request from a member of a loyalty program, the CCPA requires that the business disclose “the specific pieces of personal information it has collected about that consumer.” This may be interpreted by courts as indicating that information must be disclosed regardless of whether the information was collected from the consumer directly, was received from a third party (e.g., a retailer, or a commercial partner), or was generated internally by a businesss.
CCPA Privacy FAQ: Is a business prohibited from giving discounts to loyalty program members?
The CCPA prohibits a business from charging different “prices or rates” or offering “discounts, or other benefits” based upon whether a consumer “exercised any of the consumer’s rights” under the Act. The Act does not confer a right to join (or not join) a loyalty program. As a result, the CCPA does not, on its face, prohibit a loyalty program from charging different prices or offering discounts to loyal consumers.
Some retailers have expressed concern that the CCPA may indirectly prohibit a business from charging different prices through a loyalty program because members of a loyalty program may exercise their right to request the deletion of their information. The specific concern is that if a loyalty program honored a deletion request, it would be forced to stop providing a benefit and thus could be accused of price discrimination. Such concern is unfounded in the context of most loyalty programs. Specifically, most loyalty programs are not required to honor most deletion requests. If a loyalty program chooses to honor a deletion request, there are several steps that can be taken to ensure that a consumer is not disadvantaged because of that election.
CCPA Privacy FAQ: Does a loyalty program benefit have to relate to the value provided to a business by consumer data?
The CCPA provides as an exception to its prohibition against discrimination situations in which a “price or difference” is related to the value provided to a business by the consumer’s data. While some retailers have suggested that this exception may require that all retailers explain how the benefits of their loyalty program relate to the value to a business of loyalty-program-members data, such an interpretation overlooks the fact that the anti-discrimination provisions of the CCPA only require that a business does not discriminate against a consumer that exercises a right under the CCPA. As joining a loyalty program is not, in and of itself, a right, a business is not required to explain how the benefits offered by the loyalty program relate to the value provided to the business by consumer data.
CCPA Privacy FAQ: Is a business required to provide a privacy notice in conjunction with a loyalty program?
To the extent that a loyalty program collects personal information, it is required to provide a privacy notice consistent with the CCPA.
CCPA Privacy FAQ: What rights does a consumer have in relation to a loyalty program?
Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. All loyalty programs share several things in common, however – they collect information about consumers and they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.
Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:
|Right||Applicability to Loyalty Program|
|Privacy Notice||✓ A loyalty program that collects personal information of its members should provide a notice that, at a minimum, discusses the type of information collected and the purposes to which it will be put.1|
|Access to Information||✓ A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.2|
|Deletion of information||X Unless the terms and conditions of the loyalty program give the consumer the right to delete their account, or the right to delete information relating to their account, a company may generally deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.|
|Opt-out of sale||✓ A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information.|
For more information and resources about the CCPA visit http://www.CCPA-info.com .