The CCPA and your loyalty program

By Emily Leach

If you have a loyalty program, it likely means you are collecting, retaining, processing, sharing and/or selling consumer data at a higher level than many other businesses. This data is a treasure trove for bad actors dealing in stolen data and may make companies with loyalty programs more of a target for hackers. These programs also fall under the scope of privacy laws like the California Consumer Privacy Act (CCPA), which went into effect at the beginning of the year, meaning companies with loyalty programs are facing more challenges than ever before.

Ensuring the security of the information you hold should be a priority for all companies, and the more data you hold — and the more sensitive that data is — the bigger risk you have when your systems are compromised. Data breaches can result in significant reputational and financial damage. Adding to that, under CCPA California consumers have a private right of action for data breaches and fines for violations of CCPA can reach up to $7,500 per violation. The dollars can add up pretty quickly if your privacy and security programs aren’t up to the task.

The CCPA also requires companies within its scope to provide California consumers with the right to access, delete and opt out of the sale of their personal data. And, where incentives are offered in exchange for consumer data, it sets some prescriptive bars companies must meet.


One major challenge CCPA brings to businesses with loyalty programs is its non-discrimination provision, which requires businesses not to discriminate against consumers who exercise their rights under CCPA.

The non-discrimination provision requires that any incentive or benefit the consumer receives for allowing the collection, retention or sale of their personal information is related to the value their data has to the business.

The California Attorney General’s CCPA regulations include an example to illustrate this requirement:

“A grocery store offers a loyalty program whereby consumers receive coupons and special discounts when they provide their phone numbers. A consumer submits a request to opt-out of the sale of their personal information. The retailer complies with their request but no longer allows the consumer to participate in the loyalty program. This practice is discriminatory unless the grocery store can demonstrate that the value of the coupons and special discounts are reasonably related to the value of the consumer’s data to the business.”

This, coupled with the CCPA’s right to deletion and right to opt out of the sale of personal information, means businesses with loyalty programs predicated on whether a consumer allows the business to collect, retain or sell their data probably have some work to do.

Data valuation

In addition to the non-discrimination requirement, a major challenge businesses will have to overcome (and perhaps the biggest challenge) is determining the value of the data being retained in relation to the benefits of the loyalty program. In order to comply with this requirement, you need to come up with and document a method to calculate the value of customer data.

The AG regulations offer some guidance on this as well, providing the following list for you to consider when determining the methodology:

  • The marginal value to the business of the sale, collection, or deletion of a consumer’s data
  • The average value to the business of the sale, collection, or deletion of a consumer’s data
  • The aggregate value to the business of the sale, collection, or deletion of consumers’ data divided by the total number of consumers
  • Revenue generated by the business from sale, collection, or retention of consumers’ personal information
  • Expenses related to the sale, collection, or retention of consumers’ personal information
  • Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference
  • Profit generated by the business from sale, collection, or retention of consumers’ personal information
  • Any other practical and reasonably reliable method of calculation used in good faith

Provide appropriate notice of incentive programs

Once you have established a method to determine the value of customer data, you need to ensure that you are providing information about your loyalty or incentive programs in your privacy notice or in a separate notice of incentives. How you do this depends largely on the ways you interact with your customers—are you online only, or do you have brick-and-mortar locations where people shop? Identify appropriate methods for notice depending on this assessment and also the languages in which you operate.

The notice should include:

  • A summary of the incentive
  • A description of the terms of the incentive, including the categories of personal information that are implicated and the value of that data
  • How the consumer can opt in
  • Notice of the consumer’s right to withdraw from the incentive and how
  • An explanation of how the incentive is related to the value of the consumer’s data, including the method you used to calculate the value of the consumer’s data

Opt-in only

Finally, CCPA requires that any incentive program is run on an opt-in basis — meaning a customer must actively agree to being part of the program.

Creating a program that’s opt-in, developing your data valuation method and appropriately notifying individuals of your incentive program will put you on the right side of the law — but there are other things you can do to mitigate overall risk.

Know what you collect, know what you use, make sure they match up

Having a good understanding of the data you collect about your customers and how it’s used once you have it should be the foundation to all your decision-making. In order to do this, you need to talk to representatives from across your organization and understand what data they use and how. In the EU General Data Protection Regulation this is referred to as creating records of processing activities, or ROPAs. ROPAs are not explicitly required in CCPA, but in order to comply with many aspects of CCPA conducting them is an enormously valuable exercise.

Beyond helping in your compliance activities, understanding what data different teams use and comparing that to the data that you collect may reveal areas where you can tighten up your data collection practices thereby mitigating risks associated with data breaches.

In our consulting practice, we frequently find that clients collect more information than they use — and even more often, they keep it long past the time it holds any value for them. Which brings us to the next point.

Delete or do not collect data you don't need

So, what to do when your ROPAs reveal that you’ve been collecting personal information about customers that you don’t need or use? Get rid of it! Then change your collection practices to stop collecting information you don’t actively use. Remember, you can’t lose something you don’t have.

Additionally, most of the information you collect is valuable in its identifiable state for a period of time, and then loses its value. Often, this data just sits in your cloud storage because storage is cheap and who knows — maybe you’ll want it someday. Keeping personal information indefinitely exposes you to unnecessary risk.

Make sure you have a data retention schedule that’s up-to-date and includes all personal information you collect. Then create a process to delete or de-identify personal data on a regular basis.

What's to come

CCPA requires businesses to give options to control how their data is being used by companies and requires companies to offer them real choices — the like-it-or-leave-it method of notice and choice is slowly eroding. If this year’s ballot initiative, the California Privacy Rights Act, ends up as law, California residents will have control over not only selling, but also sharing personal information and limiting the use of a new class of sensitive personal information.

Getting your loyalty program and data collection practices in shape now is essential to managing not only CCPA but also CPRA and whatever else is on the horizon.

Get started today

Ensuring digital security and compliance for your future.