February 8, 2022

California Attorney General Turns Enforcement Attention to Loyalty and Rewards Programs

Holland & Knight Cybersecurity and Privacy Blog
Ashley L. Shively

The Office of the Attorney General (OAG) for the State of California has sent a second round of noncompliance notices to businesses under the California Consumer Privacy Act (CCPA) and announced "an investigative sweep of a number of businesses operating loyalty programs in California."

The CCPA became effective Jan. 1, 2020, and enforcement by the Attorney General began July 1, 2020. A year later, the OAG issued its first round of violation notices. Based on "illustrative examples" of its CCPA enforcement cases, the OAG's enforcement priorities at the time included transparency in privacy policies, inclusion of the "Do Not Sell" link, verification and submission of rights requests. Loyalty programs now appear to join that list.

The CCPA and its current regulations contain various provisions concerning rewards and loyalty programs. The Act itself provides that "a business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this title, including, but not limited to" by denying or charging more for goods or services, including through the use of discounts or other benefits, or providing a different level or quality of goods or services to the consumer. [1] However, a business may provide a different price, level or quality of goods or services if the difference is "reasonably related to the value provided by the consumer's data"; "in connection with a consumer's voluntary participation in a loyalty, rewards, premium features, discount, or club card program"; or "for a specific good or service whose functionality is reasonably related to the collection, use, or sale of the consumer's data."2

The regulations substantially expand on the statutory requirements and impose a new requirement for an explicit "notice of financial incentive." The notice – which is typically found as a section in the privacy policy – must include 1) a summary of the program, 2) the program's material terms, 3) how to opt in or out of the program, and 4) how the incentive is reasonably related to the value of the consumer's data, including a good-faith estimate of the value and description of the method the business used to calculate the value.3 To calculate the value of consumer data, the regulations offer eight factors for consideration, including the average value to the business, and revenue generated by, or expenses related to, the sale, collection or deletion of a consumer's data.4 Importantly, the eighth factor is "any other practical or reasonably reliable method of calculation used in good faith."

Further, if "a business is unable to calculate a good-faith estimate of the value of the consumer's data or cannot show that the financial incentive … is reasonably related to the value of the consumer's data," the regulations provide "that business shall not offer the financial incentive or price or service difference."5

The Office of the Attorney General has yet to bring a public enforcement action for any alleged CCPA violations. Nevertheless, the OAG's announcement is a strong reminder that consumer privacy remains a top priority for the state, particularly as the California Privacy Protection Agency (CPPA) gets underway with its own rulemaking under the California Privacy Rights Act (CPRA).

For more information about the CCPA, CPRA, CPPA, guidance interpreting privacy laws or questions on establishing a compliant privacy program, contact the author or Mark Melodia, chair of Holland & Knight's Data Strategy, Security & Privacy Team. To stay informed on the latest data privacy news, sign up to receive updates to the Holland & Knight Cybersecurity and Privacy Blog.


1 Cal. Civ. Code § 1798.125(a)(1).

2 Cal. Civ. Code §§ 1798.125(a)(2), (b).

3 Cal. Code Regs. Tit. 11, § 999.307.

4 Cal. Code Regs. Tit. 11, § 999.337.

5 Cal. Code Regs. Tit. 11, § 999.336.

Related Insights