Companies with Loyalty Programs in the Crosshairs for CCPA Compliance Investigations


California’s Attorney General has put businesses operating loyalty programs in the state on notice that they may be subject to investigation. AG Rob Bonta has done so by sending notices to several companies alleging noncompliance with the California Consumer Privacy Act (CCPA)—a law that requires businesses offering discounts, free items or other rewards to provide consumers with a notice of financial incentive when these offers are made in exchange for personal information.

Pursuant to the CCPA, companies with loyalty programs—including those in the retail, home improvement, travel and food services industries—are obligated to describe the material terms of their financial incentive initiatives before customers opt in to participate. Businesses that have failed to do so have 30 days to cure and come into compliance with the law.

AG Bonta’s recent action brings into focus the reality that data within the confines of the CCPA is collected not only online, but whenever customers enter personal information—like phone numbers and addresses—to avail themselves of discounts and rewards, even at a supermarket, a local coffee shop or favorite clothing store. The takeaway: brick and mortars collect data too, an action that can bring with it government scrutiny by virtue of the CCPA.

To date, the CCPA is known to be the toughest data privacy law in the U.S. Its enforcement across industries by California’s Department of Justice began in July 2020, but as a wide-ranging data regulation platform, its impacts are being felt by companies nationwide. Among the businesses that have received noncompliance notices are data brokers, marketing companies, media outlets and online retailers.

Given the AG’s commitment to the ongoing and robust enforcement of the CCPA, every customer-facing company needs a CCPA Data Privacy Compliance Assessment, and time is of the essence as CCPA compliance requirements become even stricter in 2023.

Of course, the cybersecurity, privacy and data team at Michelman & Robinson, LLP is here to address any of your CCPA-related concerns. Feel free to contact Matthew Yarbrough at myarbrough@mrllp.com should you have any questions.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.