California AG’s CCPA Enforcement Priorities Expand to Loyalty Programs

February 3, 2022

Click for PDF

International Data Privacy Day was on January 28, 2022, and practitioners and enforcers alike took the opportunity to recognize developments over the past year, and look forward to what’s next.[1]  California Attorney General Rob Bonta’s Office was no exception.  Attorney General Bonta’s Office published Friday a press release announcing “an investigative sweep of a number of businesses operating loyalty programs in California” and that the Attorney General sent notices alleging noncompliance with the California Consumer Privacy Act (CCPA).

The CCPA passed in 2018, took effect January 1, 2020, and following multiple amendments and various versions of regulations, enforcement by the California Attorney General started July 1, 2020.  Since that time, Attorney General Bonta’s Office’s enforcement priorities had appeared to focus on transparency (e.g., in privacy notices), sale requirements (e.g., ensuring sufficient opt-outs), verification, and CCPA right request forms.  Indeed, in July 2021, the Attorney General’s Office published examples of its CCPA enforcement cases, only one of which related to transparency in the context of a loyalty program.  In this release, the Office also launched a consumer reporting link, which allowed consumers to report potential violations to the Attorney General’s Office.

Now, it seems the Attorney General’s Office is adding fuel to the focus on loyalty programs in its list of enforcement priorities.  As a reminder, the CCPA has various provisions and regulations relating to loyalty programs.  Under CCPA’s Section 1798.125:

“a business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:  (B)  Charging higher prices or rates for goods or services, including through the use of discounts or other benefits,” except that businesses can provide a different price, rate, level or quality, if the offering is:

  • “in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program”;
  • “reasonably related to the value provided by the consumer’s data”;
  • “for a specific good or service whose functionality is reasonably related to the collection, use, or sale of the consumer’s data.”


The CCPA Regulations provide further clarity on these provisions, stating among other requirements, that if “a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive . . . is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference” (Section 999.336, emphasis added), and that an explicit notice of financial incentive is required, which should include (1) a summary of the program, (2) material terms, (3) how to opt in and how to withdraw from the program, and (4) how the incentive is reasonably related to the value of the consumer’s data, including a good-faith estimate of the value, and the description of the method the business used to calculate it (Section 999.307).

Section 999.337 offers more detail regarding how to calculate the value of consumer data, including providing eight factors for consideration, such as the average value to the business, the revenue generated by the business from the processing of the consumers’ information, and the expenses relating to the processing.

Attorney General Bonta’s announcement serves as a helpful reminder that businesses offering financial incentives (including potentially discount coupons for submitting an email address), or loyalty programs (such as usage perks or membership discounts), should consider their CCPA compliance, and in particular review their disclosures regarding such programs.  It is also a reminder more generally that the Attorney General’s Office remains active in enforcing the CCPA, at least until July 2023, when enforcement of the CPRA will begin.

We remain available to discuss your particular compliance needs, including regarding loyalty programs, to which businesses may have devoted less attention in their CCPA compliance efforts, in light of the late finalization of the regulations in August 2020.


[1] See, for example, Gibson Dunn’s International Cybersecurity and Data Privacy Outlook and Review – 2022, Jan. 31, 2022, available at

This alert was prepared by Cassandra L. Gaedt-Sheckter and Alexander H. Southwell.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group:

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])

Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.