In a recent press release, California Attorney General Rob Bonta made it clear that customer loyalty programs are an enforcement priority for California Consumer Privacy Act (CCPA) compliance. His office sent out 30-day cure notices to a number of “major corporations in the retail, home improvement, travel, and food services industries.” Companies that fix any alleged violations of the data privacy law within that time period will face no further penalties.
The CCPA requires that any business which offers financial incentives in return for consumer data (i.e., rewards or loyalty programs) must first make certain disclosures. These disclosures must describe the “material terms” of the program, including what kinds of personal data the business is collecting and how the incentive is related to the value of that information.
The Attorney General did not specify what these companies may have been doing wrong. It could range from not providing any disclosures at all to not providing an estimate of the value of consumers’ personal information. One interesting takeaway is that it is not just online businesses that are being targeted for enforcement, but stores with physical locations as well. “We may not always realize it, but these brick-and-mortar stores are collecting our data—and they’re finding new ways to profit from it,” said Bonta.
This is part of a trend of aggressive interpretation and enforcement of the CCPA, something that is expected to continue. Starting in 2023, the state will no longer be required to give businesses 30 days to fix any alleged noncompliance, and can instead proceed directly to administrative proceedings and fines. The newly created California Privacy Protection Agency is also gearing up to take over CCPA enforcement from the Attorney General’s Office. Once that happens, enforcement actions are widely expected to take a big jump.
Customer loyalty programs are just one of many aspects of CCPA compliance that are easily overlooked by businesses whose attention is focused elsewhere. Even as enforcement ramps up, however, small and medium sized businesses keep delaying compliance. Often this is because of concerns over cost and lost time. TrueVault Polaris can help these businesses get compliant in as little as a few hours, and at a fraction of the cost of hiring an attorney or consultant. Designed by privacy attorneys, Polaris lets you handle your own CCPA compliance through a guided software experience, similar to filing taxes online.
To schedule a demo of how Polaris works, contact us today.