Navigating the Financial Incentive Requirement of the California Consumer Privacy Act

Client Alert

March 2022

By: Travis P. Brennan, Shawn Collins

Why it Matters:

  • The California Attorney General’s Office recently made common types of consumer loyalty programs a target of enforcement. 
  • Compliance requirements include estimating the value of personal information collected through such programs and explaining that estimate to the consumer.
  • This is an unusual and controversial requirement, and the consequences of noncompliance are about to become even more serious. Right now, the letters from the attorney general give those who are not in compliance with the California Consumer Privacy Act ("CCPA") a total of 30 days to fix their violations. However, when the California Privacy Rights Act ("CPRA") amends the CCPA effective January 1, 2023, there will no longer be a mandatory
    30-day period to fix violations, meaning that the attorney general can take enforcement action promptly if a violation is discovered.
  • Non-compliance can lead to civil penalties of up to $7,500 per violation.

Since its enactment at the beginning of 2020, the CCPA has garnered a significant amount of attention. The watershed legislation, which is intended to strengthen privacy rights in the state and further protect its consumers, has forced countless businesses to change the way that they operate. However, for as much attention as the CCPA has attracted over the past few years, one area of the Act that is often overlooked relates to how businesses with customer loyalty programs need to be transparent regarding how they are profiting from personal data.

For businesses operating in the state, it is important to pay attention to this, as California Attorney General Rob Bonta recently put a spotlight on this part of the statute. On January 28—which also happened to be Data Privacy Day—Bonta said there would be “an investigative sweep” of several businesses that had loyalty programs in the state, and that these businesses would be sent notices that allege noncompliance with the CCPA. The attorney general’s office noted that they sent letters to businesses from a broad range of sectors from retail to travel to food services, instructing them that they have 30 days to fix their violation and become compliant with the financial incentive provision of the CCPA.

At its core, this is a provision of the CCPA that can have a wide-ranging impact. For instance, consider the sheer volume of websites there are that sell products to consumers and offer some sort of deal. You may visit a website and there is a popup that offers 10 percent off if you sign up for the company’s newsletter, so you sign up and then receive an email that provides instructions on how to get that discount. Now, under the CCPA, if the person who signed up for the newsletter is a California resident, the company is required to provide them with notice of how they will utilize their personal information for financial gain.

To showcase how the attorney general’s office is handling these violations, consider the following situation, which was published as one of the CCPA Enforcement Case Examples on the Office of the Attorney General’s website. According to the case, there was a business that has a chain of grocery stores that had required customers to provide personal information in order to be part of its loyalty programs. However, the business didn’t provide the necessary Notice of Financial Incentive and was notified of its noncompliance. Following the issuance of the notice, the business changed its privacy policy to include the notice and become compliant with the CCPA.

To better understand what is required of businesses under this provision, take a look at the exact language of Cal. Code Regs. tit. 11 § 999.307. According to the provision, the intention is to “explain to the consumer the material terms of a financial incentive or price or service difference the business is offering so that the consumer may make an informed decision about whether to participate.” It is important to note that for businesses that do not offer financial incentives, or price or service differences, there is no requirement to provide notice of financial incentive.

In order to provide a notice of financial incentive that is compliant with the CCPA, a business needs to meet a number of requirements. The first requirement is focused on the accessibility of the notice itself. According to the statute, the notice “shall be designed and presented in a way that is easy to read and understandable to consumers.” Additionally, the notice must use “plain, straightforward language and avoid technical or legal jargon.” The notice of financial incentive needs to utilize a format that both “draws the consumer's attention” and also needs to be “readable, including on smaller screens, if applicable.” According to the statute, the notice must be available in all of the languages that the business “in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.”

Further, the notice needs to be “reasonably accessible” for those consumers who have disabilities. The provision states that “the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference.” According to the statute, “the business shall provide information on how a consumer with a disability may access the notice in an alternative format.” Lastly, the notice also must be “readily available where consumers will encounter it before opting-in to the financial incentive or price or service difference.”

The notice itself has to include a number of pieces of information in order to be compliant with the CCPA. For starters, the notice of financial incentive needs to have a “succinct summary of the financial incentive or price or service difference offered.” Additionally, it must include a description of the material terms of either the financial incentive or of the price or service difference. This means informing the consumer of the categories of personal information that are involved with the financial incentive or price/service difference, as well as providing the consumer with the value of their data. 

Additionally, a business needs to inform the consumer how they can opt-in to either the financial incentive or the price or service difference. The business also must provide a statement that addresses the consumer’s right to withdraw from the incentive at any time, and they must explain to the consumer how they can go about withdrawing from the incentive. A notice also needs to explain how either the financial incentive or the price or service difference is “reasonably related to the value of the consumer's data.” According to the CCPA, this includes providing a “good-faith estimate of the value of the consumer's data that forms the basis for offering the financial incentive or price or service difference” and also a “description of the method the business used to calculate the value of the consumer's data.”

As signaled from the Attorney General’s office, there will be a continued focus on complying with the CCPA and this provision. We often need to remind our clients about the importance of focusing on their privacy policy in order to be compliant with the CCPA—especially when it comes to the notice of financial incentive.

This is an unusual and controversial requirement, and the consequences of noncompliance are about to become even more serious. Right now, the letters from the attorney general give those who are not in compliance with the CCPA a total of 30 days to fix their violations. However, when the CPRA amends the CCPA effective January 1, 2023, , there will no longer be a mandatory 30-day period to fix violations, meaning that the attorney general can take enforcement action promptly if a violation is discovered.

The financial incentive requirement of the CCPA is something that many businesses might not be aware of due to its rather unique nature. Yet given the penalties at stake and the AG’s focus on compliance, ensuring that this requirement is met is quite important. For each violation, there could be a penalty up to $2,500—and for intentional violations, this number jumps up to $7,500.

For businesses, one of the most challenging aspects of complying with financial incentive requirement is actually understanding how to accurately put a value on their customers’ data. As required by the CCPA, businesses need to make an estimate that is done in “good faith.” There is information provided in the CCPA that provides a level of guidance on how to make an estimate, yet this still remains a difficult process for businesses and is one of the hurdles they face when meeting this requirement.

Ultimately, with the state’s attorney general bearing down on CCPA compliance as it relates to the financial incentive provision, businesses need to ensure that they are following the law—especially with the California Privacy Rights Act on the horizon. As Attorney General Bonta noted, businesses will be held accountable for the way they handle customer information.

“I urge all businesses in California to take note and be transparent about how you're using your customer's data,” said Bonta in a press release. “My office continues to fight to protect consumer privacy, and we will enforce the law.”