Does the CCPA require that the benefits conferred by a loyalty program be “reasonably related” to the value of a consumer’s data to the business?

Arguably no.

The CCPA makes clear that a business can offer different prices or rates to consumers as part of a financial incentive program if those different prices or rates are “directly related to the value provided to the business by the consumer’s data.”¹  The CCPA does not, however, directly prohibit the offering of a financial incentive if the value provided to the business by the consumer’s data is not “directly related” to the value of the financial incentive.

The CCPA also states that a business may not, through a financial incentive program (or any other activity), discriminate against a consumer because the consumer “exercised any of [their] rights” under the CCPA (e.g., access, deletion, or opt-out of sale), unless the difference in price, rate, or quality that forms the basis of the discrimination is “reasonably related to the value provided to the business by the consumer’s data.”²

In commentary published with the issuance of the regulations implementing the CCPA, the California Attorney General informally suggested that the Act might be interpreted as requiring that the benefit provided by all loyalty programs should be “reasonably related to the value of the consumer’s data to the business.”³  The California Attorney General did not explain, however, the basis for his assertion, and such a position would directly conflict with the text of the CCPA (described above) which applies the “reasonable relationship” test only to situations in which “discriminat[ion]” is prompted by the “exercise[] . . . of the consumer’s rights.”⁴ Furthermore, in other statements made by the Attorney General, he concedes that the “reasonable related” standard applies only in the context of discrimination.⁵

As a result, there is a strong argument that the price or rate discounts offered through a loyalty program do not need to be reasonably related to the value that a business derives from data, so long as the business does not discriminate against a consumer that attempts to exercise a privacy right.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.125(b)(1).

2. CCPA, Section 1798.125(a)(1), (2).

3. FSOR Appendix A at 75 (Response No. 254), 274 (Response No. 815).

4. CCPA, Section 1798.125(a)(2).

5. FSOR Appendix A at 273 (Response No. 814).