February 3, 2022
International Data Privacy Day was on January 28, 2022, and practitioners and enforcers alike took the opportunity to recognize developments over the past year, and look forward to what’s next. California Attorney General Rob Bonta’s Office was no exception. Attorney General Bonta’s Office published Friday a press release announcing “an investigative sweep of a number of businesses operating loyalty programs in California” and that the Attorney General sent notices alleging noncompliance with the California Consumer Privacy Act (CCPA).
The CCPA passed in 2018, took effect January 1, 2020, and following multiple amendments and various versions of regulations, enforcement by the California Attorney General started July 1, 2020. Since that time, Attorney General Bonta’s Office’s enforcement priorities had appeared to focus on transparency (e.g., in privacy notices), sale requirements (e.g., ensuring sufficient opt-outs), verification, and CCPA right request forms. Indeed, in July 2021, the Attorney General’s Office published examples of its CCPA enforcement cases, only one of which related to transparency in the context of a loyalty program. In this release, the Office also launched a consumer reporting link, which allowed consumers to report potential violations to the Attorney General’s Office.
Now, it seems the Attorney General’s Office is adding fuel to the focus on loyalty programs in its list of enforcement priorities. As a reminder, the CCPA has various provisions and regulations relating to loyalty programs. Under CCPA’s Section 1798.125:
“a business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (B) Charging higher prices or rates for goods or services, including through the use of discounts or other benefits,” except that businesses can provide a different price, rate, level or quality, if the offering is:
The CCPA Regulations provide further clarity on these provisions, stating among other requirements, that if “a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive . . . is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference” (Section 999.336, emphasis added), and that an explicit notice of financial incentive is required, which should include (1) a summary of the program, (2) material terms, (3) how to opt in and how to withdraw from the program, and (4) how the incentive is reasonably related to the value of the consumer’s data, including a good-faith estimate of the value, and the description of the method the business used to calculate it (Section 999.307).
Section 999.337 offers more detail regarding how to calculate the value of consumer data, including providing eight factors for consideration, such as the average value to the business, the revenue generated by the business from the processing of the consumers’ information, and the expenses relating to the processing.
Attorney General Bonta’s announcement serves as a helpful reminder that businesses offering financial incentives (including potentially discount coupons for submitting an email address), or loyalty programs (such as usage perks or membership discounts), should consider their CCPA compliance, and in particular review their disclosures regarding such programs. It is also a reminder more generally that the Attorney General’s Office remains active in enforcing the CCPA, at least until July 2023, when enforcement of the CPRA will begin.
We remain available to discuss your particular compliance needs, including regarding loyalty programs, to which businesses may have devoted less attention in their CCPA compliance efforts, in light of the late finalization of the regulations in August 2020.
 See, for example, Gibson Dunn’s International Cybersecurity and Data Privacy Outlook and Review – 2022, Jan. 31, 2022, available at https://www.gibsondunn.com/international-cybersecurity-and-data-privacy-outlook-and-review-2022/.
This alert was prepared by Cassandra L. Gaedt-Sheckter and Alexander H. Southwell.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group:
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Matthew Benjamin – New York (+1 212-351-4079, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
David P. Burns – Washington, D.C. (+1 202-887-3786, email@example.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, firstname.lastname@example.org)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, email@example.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, firstname.lastname@example.org)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, email@example.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, firstname.lastname@example.org)
H. Mark Lyon – Palo Alto (+1 650-849-5307, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Ashley Rogers – Dallas (+1 214-698-3316, email@example.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, firstname.lastname@example.org)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, email@example.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, firstname.lastname@example.org)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, email@example.com)
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
James A. Cox – London (+44 (0) 20 7071 4250, email@example.com)
Patrick Doris – London (+44 (0) 20 7071 4276, firstname.lastname@example.org)
Kai Gesing – Munich (+49 89 189 33-180, email@example.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Penny Madden – London (+44 (0) 20 7071 4226, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Alejandro Guerrero – Brussels (+32 2 554 7218, email@example.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Sarah Wazen – London (+44 (0) 20 7071 4203, email@example.com)
Kelly Austin – Hong Kong (+852 2214 3788, firstname.lastname@example.org)
Connell O’Neill – Hong Kong (+852 2214 3812, email@example.com)
Jai S. Pathak – Singapore (+65 6507 3683, firstname.lastname@example.org)
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.