How to Construct a Notice of Financial Incentive Under the CCPA

Written By Haley Metteauer

Under the California Consumer Privacy Act (“CCPA”), businesses are prevented from discriminating against consumers who act to exercise their rights to safeguard their personal information. However, the CPPA preserves the right of a business to charge different prices or rates or to provide consumers with differing levels or quality of goods or services “if that difference is reasonably related to the value provided to the business by the consumer’s data,” or to offer consumers the opportunity to participate in consumer “loyalty, rewards, premium features, discounts, or club card programs.”

But when a business offers a “financial incentive,” such as a “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion or sale of personal information,” they must provide the consumer with a Notice of Financial Incentive.

California Attorney General (“AG”) Rob Bonta has recently signaled that his office will enforce this financial incentives clause, following an “investigative sweep” of businesses that offer loyalty programs to their consumers. The investigation focused on assessing the data collection practices of these loyalty programs, and resulted in the AG issuing several notices of non-compliance with the CCPA. Here’s what your organization needs to do to comply with this clause:

Constructing a Notice

A Notice of Financial Incentive to the consumer must be readily available to the consumer before or when they opt into a loyalty program. Specifically, a notice must include the following:

  • A summary of the financial incentive or any distinction in prices or services offered via the program;

  • A clear description of the “material terms” of the program, including the categories of consumer personal information that will be collected;

  • Procedures or processes that the consumer can utilize to opt-in to the program;

  • Notice of the consumer’s right to withdraw or opt-out of the program at any time and for any reason;

  • A statement explaining how the program is “reasonably related” to the value derived from the consumer’s data, including:

    • A good-faith estimate of the value derived; and

    • A description of the method utilized to calculate the value of the consumer’s data.

According to the AG’s announcement, the businesses that received notification of violation of the CCPA were given 30 days to come into compliance before incurring further enforcement action from the AG. Additionally, the AG “urge[d] all business[es] in California to take note and be transparent about how you are using your customer’s data,” which signals the state’s intent to continue to pursue businesses offering these types of incentive programs to ensure compliance with the CCPA.

In consideration of this implied notice from the AG, all covered businesses under the CCPA should consider a review of any incentive programs that they offer to their consumers. As a practical note, the most significant challenge in the compliance requirements is assessing the “value” of the consumer’s personal information—a requirement which that’s not been explained in detail by the CCPA or the AG.

As these values will be shared with the consumer, they should be considered “published information” from the business—meaning, it can be used against them in a court of law. As such, the value assessed should take into consideration all accounting, tax, litigation, regulatory compliance, and business development implications

Haley Metteauer
Previous

Technologies, Tools, and Tactics for Privacy Compliance
Next

FTC Chair Signals End to “Notice and Consent”