Loyalty programs are structured in a variety of different ways.  Some programs track dollars spent by consumers, others track products purchased.  Some programs are free to participate in, others require consumers to purchase membership.  Some programs offer consumers additional products, other programs offer prizes, money, or third party products.  All loyalty programs share several things in common, however – they collect information about consumers and they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA.  In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:

Right

Applicability to Loyalty Program

Privacy Notice

  A loyalty program that collects personal information of its members should provide a notice that, at a minimum, discusses the type of information collected and the purposes to which it will be put.1

Access to Information

✓  A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.2

Deletion of information 

X  Unless the terms and conditions of the loyalty program give the consumer the right to delete their account, or the right to delete information relating to their account, a company may generally deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.

Opt-out of sale

✓  A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information.

 

For more information and resources about the CCPA visit http://www.CCPA-info.com. 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.


[1]               Cal. Civil Code 1798.100(b).

[2]               Cal. Civil Code 1798.100(a).