On January 28, 2022, California Attorney General Rob Bonta announced that his office sent notices alleging noncompliance with the California Consumer Privacy Act (“CCPA”) to a number of companies operating customer loyalty programs. This sweep of notices follows the Attorney General’s initial round issued on July 1, 2020 and was summarized in the Attorney General’s July 2021 enforcement examples, which we analyzed on the Debevoise Data Blog.

By way of background, the CCPA has specific requirements for businesses that offer financial incentives to customers—which have been broadly defined by the Attorney General’s regulations as anything from payments to discounted prices or other rewards—in exchange for collecting, deleting, or selling customers’ personal data. Businesses that offer financial incentives must provide notifications to consumers, including providing the material terms of the financial incentive program prior to the consumer opting in. Consumers who opt in must be able to opt out at any time, and a business cannot ask consumers who do not opt in to opt in for at least 12 months.

This sweep, along with the Attorney General’s July 2021 enforcement examples, highlight five key takeaways that companies offering customer loyalty programs or other financial incentives to consumers should consider to mitigate the risk of CCPA enforcement:

  1. Take Steps to Cure. Businesses that receive a notice of alleged noncompliance with the CCPA have 30 days to cure. If a business does not cure, it may be subject to an injunction and penalized $2,500 per violation or $7,500 for each intentional violation under the CCPA. The Attorney General’s July 2021 enforcement examples show how a quick and complete response to a notice can effectively eliminate the risk of an enforcement action. Companies that have not received notices but operate customer loyalty programs subject to the CCPA should consider evaluating their disclosures and management of these programs and take appropriate steps to align with the CCPA and the Attorney General’s regulations.
  2. Expect Broad Enforcement. The Attorney General’s notices are a reminder to businesses that they need to comply with all of the CCPA and all of the Attorney General’s regulations, including the less-heralded financial incentive notification provisions. Although there has not yet been a public enforcement action under any provision of the CCPA, the Attorney General’s public actions make clear that he is not focusing on any one or series of provisions, as reflected in the July 2021 enforcement examples and the creation of the Consumer Privacy Interactive tool, which will be updated over time to include a broader range of potential CCPA violations.
  3. Don’t Forget about Offline Collection. The Attorney General’s notice stresses the fact that all businesses subject to the CCPA, including brick and mortar companies, need to consider how they are collecting and using consumer data and provide the corresponding required notices. More specifically, the Attorney General commented that consumer data is collected and processed when consumers enter their “phone number for a discount at the supermarket; when [they] use rewards for a free coffee at our local coffee shop; and when [they] earn points to purchase items at our favorite clothing store.” This serves as a reminder that data collected offline needs to be treated with the same care as information collected online.
  4. Clarity Is Key. Similar to other required CCPA notices, the notice provided to consumers prior to opting in to a financial incentive program must be clear and use plain, straightforward language, avoiding technical or legal jargon, and be reasonably accessible to consumers, including those with disabilities. These notices should clearly outline the financial incentive; the categories of personal information being collected, deleted, or sold and their relation to the financial incentive; and how the consumer can withdraw their consent. As was reflected in the Attorney General’s July 2021 enforcement examples, businesses can mitigate enforcement risk by ensuring that these notices are comprehensive and consumer-friendly.
  5. Opting Out Is Just as Important as Opting In. Consumers must be able to withdraw their consent, or opt out, of the financial incentive program at any time. Similar to the notices when opting in, consumers should be able to opt out with ease rather than jumping through multiple hoops. Further, the CCPA requires that businesses wait 12 months after a consumer has refused consent before requesting that a consumer opt in again. Compliance with that provision requires that companies implement a means of tracking and identifying customers who have refused consent to ensure that the consumer does not receive another opt-in request during that time.

# # #

To subscribe to the Data Blog, please click here.

The authors would like to thank Emily Harris, a Debevoise law clerk, for her contributions to this post.


David Sarratt is a partner in Debevoise's Litigation Department. He is a seasoned trial lawyer whose practice focuses on government enforcement actions, internal investigations, and complex civil litigation, as well as novel enforcement issues arising from new technologies. He can be reached at dsarratt@debevoise.com.


Christopher S. Ford is a counsel in the Litigation Department who is a member of the firm’s Intellectual Property Litigation Group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.


H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.