CCPA Privacy FAQs: Is a business required to provide a privacy notice in conjunction with a loyalty program?

October 7, 2019

Generally, yes.

To the extent that a loyalty program collects personal information, it is required to provide a privacy notice consistent with the CCPA.

One of the rights granted to individuals under the CCPA is the right to be informed about the collection and use of personal data.1  A privacy notice (sometimes referred to as a privacy policy or information notice) is a document provided by a company to data subjects that includes, among other things, a description of what types of personal data the company collects, how the company uses the data, with whom the company shares the data, and how the company protects the data.  The CCPA requires that a business subject to the Act’s jurisdiction “inform consumers” about the categories of information collected and the purposes of that collection “at or before the point of collection.”2  The CCPA also requires that a business that posts an online privacy policy include within it certain additional disclosures relating to the rights of California residents, the specific categories of information collected, and the practices that the company has in relation to the sale of information.3

For more information and resources about the CCPA visit 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civ. Code § 1798.100(b).

2. Id.

3. Cal. Civ. Code § 1798.130(a)(5)(A)-C).