Anytime a new statute or regulation comes along, some law firms unfortunately flag issues that may not be of true concern to companies, or highlight problems that may not, in fact, exist.  Unfortunately, that continues to happen in connection with the California Consumer Privacy Act (“CCPA”).  In the context of retailer loyalty or reward programs, firms have said that the CCPA may spell the “end of loyalty programs,” or implied that the CCPA could lead to “the potential elimination of loyalty programs due to the nondiscrimination requirements.”  Some law firms have gone so far as to advise retailers to “address the issue[s]” caused by their loyalty programs by “not offer[ing] preferential pricing through loyalty programs” or by “mak[ing] loyalty program pricing available to all customers” regardless of whether they are, in fact, members of the loyalty program.  Such changes would, of course, destroy the business-case for having a loyalty program in the first place.

These concerns are incorrect and demonstrate a lack of understanding of the requirements of the CCPA.  While the Act is, without a doubt, flawed, poorly drafted, and prone to misinterpretation, it does not lead to the conclusion that most loyalty programs are inherently problematic; nor should it cause most retailers to drastically change the terms and structure of their program.  The hyperbolic treatment of loyalty programs by some law firms may also have contributed to several companies and industry groups echoing these concerns with the California legislature and the California Attorney General and alleging (incorrectly) that “the CCPA may prevent[] marketers from offering loyalty programs,” or that the CCPA as currently written prohibits “tiered pricing, discounts or coupons.”

The following dispels five (mis)statements that have been made in connection with the CCPA’s impact on loyalty programs.

  1. Myth: The CCPA prohibits “charging different prices or rates for goods or services.”

It does not.

The prohibition against price discrimination in the CCPA only applies to situation in which a consumer exercises a right conferred by the CCPA.  Nothing within the CCPA confers a right to join (or not join) a loyalty program.  For more information, see FAQ: Is a business prohibited from giving discounts to  loyalty program members?

  1. Myth: The CCPA states that the benefit provided to the consumer through a loyalty program must be reasonably related to the value provided to the business by the consumer’s data.

It does not.

As indicated above, the CCPA prohibits a business from engaging in price discrimination when a consumer exercises  a right under the CCPA.  The CCPA provides an exception to that prohibition when the discrimination relates to a “price or difference” that is related to the value provided to a business by the consumer’s data.1

While some lawyers have misinterpreted this as requiring that all loyalty program benefits be related to the value provided to the business by the consumer’s data, as noted above, the operation of the loyalty program itself is not prohibited by the CCPA and, thus, does not require the benefit of this exception.

For more information, see FAQ: Does a loyalty program benefit have to relate to the value provided to a business by consumer data?

  1. Myth: Businesses must honor deletion requests for loyalty members.

They generally do not.

One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”2  While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program).  As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.), there are several exceptions to the CCPA which would allow a business to refuse a deletion request.  For more information about each of those exceptions, and a description of how they apply to most loyalty programs, see FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an active member? and FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an inactive member?

  1. Myth: Businesses that offer loyalty programs must include a “do not sell my personal information” link.

Not necessarily

The CCPA requires that a business that sells personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.”3  The business must then include a link on its homepage titled “Do Not Sell My Personal Information” and allow consumers to opt-out of the sale.

The net result is that if a business sells loyalty program information, the business must disclose that fact and then include a “Do Not Sell” link; if a business does not sell loyalty program information, the business is not required to include such a link.

For more information go to FAQ: Is a business required to post a “do not sell” link if it offers a loyalty program?

  1. Myth: Businesses that allow consumers to redeem points with third parties are selling information.

They generally are not.

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.4  In the context of loyalty programs, it is not unusual for the operator of a loyalty program to enter into an agreement with a business partner (e.g., another company) to permit a consumer to redeem points accumulated through the loyalty program of business A in order to receive goods or services provided by business B.  For example, a hotel may have an agreement with a car rental service through which a consumer can redeem hotel loyalty points to receive a free car rental.

Such redemption arrangements may require the disclosure of personal information from one business (e.g., business A) to a second business (e.g., business b), and may include the payment of money or other consideration for the ability to receive advertising or promotion as a rewards provider.  As a result, and depending upon the structure of the business relationships, it is possible that, at first glance, the arrangement could fit the definition of “sale” under the CCPA.

Assuming that the transfer of information to a redemption partner did satisfy the definition of a “sale,” the CCPA contains an exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information.”5  As a result, if a consumer uses a loyalty program in order to interact with another business, or directs a loyalty program to disclose personal information as part of a points redemption, the loyalty program operator arguably has not “sold” information.

For more information, go to FAQ: If a business allows consumers to redeem loyalty program benefits for products or services offered by a partner, does that constitute the sale of information?

For questions or more information, contact the author, David Zetoony, or any member of our Data Privacy & Security team.

  1. Cal. Civil Code 1798.125(a)(1), (b)(1) (as amended by AB 1355).
  2. CCPA, 1798.105(a).
  3. CCPA, § 1798.130(A)(5)(C)(i).
  4. CCPA Section 1798.140(t)(1).
  5. CCPA, Section 1798.140(t)(2)(A).