The National Institute of Standards and Technology (NIST) Privacy Framework is a widely known control set used to assist organizations in identifying privacy risks within their business environment and allocating resources to mitigate these risks. Our team previously published an article outlining the best ways to leverage the NIST Privacy (NIST-P) Framework to assess data…
Under the California Consumer Privacy Act (CCPA), businesses are prevented from discriminating against consumers who act to exercise their rights to safeguard their personal information. However, the CPPA preserves the right of a business to charge different prices or rates or to provide consumers with differing levels or quality of goods or services “if that difference is reasonably related to the value provided to the business by the consumer’s data,” or to offer consumers the opportunity to participate in consumer “loyalty, rewards, premium features, discounts, or club card programs.”
But when a business offers a “financial incentive,” such as a “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion or sale of personal information,” they must provide the consumer with a Notice of Financial Incentive.
California Attorney General (AG) Rob Bonta has recently signaled that his office will enforce this financial incentives clause, following an “investigative sweep” of businesses that offer loyalty programs to their consumers. The investigation focused on assessing the data collection practices of these loyalty programs and resulted in the AG issuing several notices of non-compliance with the CCPA. Here’s what your organization needs to do to comply with this clause:
Constructing a Notice
A Notice of Financial Incentive to the consumer must be readily available to the consumer before or when they opt into a loyalty program. Specifically, the notice must include the following:
- A summary of the financial incentive or any distinction in prices or services offered via the program;
- A clear description of the “material terms” of the program, including the categories of consumer personal information that will be collected;
- Procedures or processes that the consumer can utilize to opt-in to the program;
- Notice of the consumer’s right to withdraw or opt out of the program at any time and for any reason;
- A statement explaining how the program is “reasonably related” to the value derived from the consumer’s data, including:
- A good-faith estimate of the value derived; and
- A description of the method utilized to calculate the value of the consumer’s data.
According to the AG’s announcement, the businesses that received notification of violation of the CCPA were given 30 days to come into compliance before incurring further enforcement action from the AG. Additionally, the AG “urge[d] all business[es] in California to take note and be transparent about how you are using your customer’s data,” which signals the state’s intent to continue to pursue businesses offering these types of incentive programs to ensure compliance with the CCPA.
In consideration of this implied notice from the AG, all covered businesses under the CCPA should consider a review of any incentive programs that they offer to their consumers. As a practical note, the most significant challenge in the compliance requirements is assessing the “value” of the consumer’s personal information—a requirement that’s not been explained in detail by the CCPA or the AG.
As these values will be shared with the consumer, they should be considered “published information” from the business—meaning, it can be used against them in a court of law. As such, the value assessed should take into consideration all accounting, tax, litigation, regulatory compliance, and business development implications.
* * * * * * *
To read our coverage on the Federal Trade Commission’s Chair Lina Khan discussion on the Commission’s current and planned approach to mitigating and limiting the impacts of “how Americans’ data is tracked, gathered, and used”, click here.
For ADCG’s Breach Report and more news updates discussing: Governor Glenn Young of Virginia’s approval of three amendments to the Virginia Consumer Data Protection Act.; Tim Cook, CEO of Apple Inc., presentation at the IAPP’s Global Privacy Summit applauding the EU’s GDPR, and calling for a federal data privacy law in the U.S; the U.S. DOJ announcement on April 12 that it has seized the domains belonging to RaidForum, one of the largest hacker forums in the world; and SC Media’s recently published guide for empowering employees to take ownership of enterprise security, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.