To celebrate Data Privacy Day, on January 28, California Attorney General Rob Bonta announced an investigative sweep of businesses offering loyalty programs in California. This should come as no surprise, as Attorney General Bonta highlighted loyalty programs as one of the areas of non-compliance his office addressed during the first year of California Consumer Privacy Act (CCPA) enforcement. In this sweep, the Attorney General’s office sent letters of non-compliance to businesses across different industries, including in the travel and food services industries. Those companies have 30 days to cure their non-compliance or will be subject to further enforcement action and penalties.
Although widely considered the most prescriptive privacy law in the United States, the CCPA is, at its core, a “notice and choice” law. Businesses subject to the CCPA are companies doing business in California that:
-
- Have a gross annual revenue of more than $25 million; or
- Derive more than 50 percent of their annual income from the sale of California consumer personal information; or
- Buy, sell or share the personal information of more than 50,000 California consumers annually.
All of these companies must provide consumers with notice of what personal information is being collected about them and give consumers the choice to decide how the information is used and shared. While businesses may not discriminate against consumers for exercising their rights under the CCPA (e.g., by opting out of the sale of personal information), businesses may offer financial incentives or offer discounts if a consumer agrees to provide the business with personal information.
The regulations adopted under the CCPA provide that a business that offers a financial incentive or price or service difference must give a “notice of financial incentive.” The notice of financial incentive must explain to the consumer in plain language the material terms of the financial incentive or price or service difference so the consumer can choose whether to participate. [Note that the notice may need to be available in languages other than English and be reasonably accessible to consumers with disabilities.]
The notice of financial incentive must include:
-
- A summary of the financial incentive or price or service difference;
- A description of the terms of the offer, including the categories of personal information and the value of that information;
- How a consumer can opt in;
- How a consumer can opt out after opting in; and
- How the business calculated the value of the personal information.
A financial incentive is defined as a “program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.” A price or service difference is defined as “(1) any difference in the price or rate charged for any goods or services to any consumer related to the collection, retention, or sale of personal information, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any difference in the level or quality of any goods or services offered to any consumer related to the collection, retention, or sale of personal information, including the denial of goods or services to the consumer.”
Below are a few examples of hospitality businesses that must provide a notice of financial incentive to their customers:
-
- A local coffee shop offers a free cup of coffee for every 10 cups purchased and tracks this loyalty program through its customers’ cell phone numbers.
- A hotel chain tracks loyalty points based on the number of nights stayed or amount spent, provides a discount on a future stay or free wifi when the customer reaches a certain number of points, and associates the loyalty points with a guest’s name, address, email address and IP address.
- A restaurant has an app with a loyalty program that offers a free appetizer on the customer’s birthday, and the app requires enrolling through a unique account name, providing birthdate and tracking geolocation data.
A business needs to provide a notice of financial incentive prior to offering a loyalty program whether the business operates online or in-person.
-
- If a business offers the loyalty program online such as when booking a hotel room through a website, the notice of financial incentive can be given to customers by providing a link to the section in the business’ privacy policy that contains the notice of financial incentive.
- If a business offers the financial incentive or price or service difference in person (such as in a coffee shop or restaurant), the business should ensure that the notice of financial incentive is printed and placed in a location where consumers will be able to see and read it before opting in to the loyalty program.
While the CCPA provides that the Attorney General must give notice and an opportunity to cure before issuing penalties, it’s good business practice to work on ensuring compliance with the CCPA now, before having a spotlight directed on your business operations. The Attorney General’s office has made clear that businesses need to provide a notice of financial incentive if they are operating loyalty programs. Don’t be caught in the next sweep. If you have a loyalty program or are thinking about implementing a loyalty program and don’t have a notice of financial incentive, please feel free to contact our Privacy, Cybersecurity & Data Protection team for assistance.
About the Editor
Greg Duff founded and chairs Foster Garvey’s national Hospitality, Travel & Tourism group. His practice largely focuses on operations-oriented matters faced by hospitality industry members, including sales and marketing, distribution and e-commerce, procurement and technology. Greg also serves as counsel and legal advisor to many of the hospitality industry’s associations and trade groups, including AH&LA, HFTP and HSMAI.