What Is a Notice of Financial Incentive?

data-money
 

The notice of financial incentive (NFI) is a source of dread for many businesses that are trying to become CCPA compliant. It’s confusing, it’s highly visible, and it has been a focus of enforcement by the California Attorney General.

To help understand the NFI, we’ll go over why it exists and what is required of businesses.

What’s the Point of the NFI?

The need for an NFI is based on the consumer’s right to non-discrimination. Businesses cannot retaliate against consumers for exercising their privacy rights, such as by denying them service, charging them a different price, or providing a different level or quality of services or products.

While that rule makes sense, it also conflicts with a very common arrangement that benefits both businesses and consumers: providing access to personal information in exchange for discounts, free services, etc.

For example, imagine your business allows consumers to sign up for email newsletters that contain exclusive promo codes that can be redeemed for discounts on your website (discounts=financial incentive, email address=personal information). Later, one of those consumers requests that you delete all of their personal information. If you delete their email address from your mailing list, they won’t receive any more promo codes, meaning they will be charged a different price for your products as a result of submitting a privacy request.

In this situation, the CCPA gives businesses some leeway. They can simply remove the consumer from their mailing list without it being considered retaliation. Alternatively, they can ask the consumer to confirm that they want to be removed from the financial incentive program. If the consumer wants to keep receiving the financial incentive, the business may continue to retain and/or use their personal information to the extent it is necessary to operate the program.

However, businesses only have these options if they post an NFI that complies with the CCPA’s requirements.

Financial Incentive Requirements

Businesses may offer consumers a financial incentive for the collection of their personal information only if the financial incentive program meets these requirements:

  • The value of the financial incentive is reasonably related to the value provided to the business by the consumer’s data
    Financial incentives programs can’t be unreasonable or coercive. For example, if a social media company gives consumers free access to their service in exchange for selling their data, it can’t make consumers choose between either having their data sold or opting out and paying $1000 per month for the service. The value of the financial incentive is not reasonably related to the value of the consumer’s data, and the price is clearly meant to dissuade people from opting out.

    For most businesses, this is not an issue because the value of the financial incentive and the value of the personal information typically tend to be reasonably related. In the email newsletter scenario, for example, businesses will spend a lot of effort balancing the value of an increase in sales with the lost revenue associated with the discounts. They naturally want to offer the minimum amount of financial incentive necessary, because that incentive has a cost.
  • The consumer gives prior opt-in consent
    Businesses may only enter a consumer into a financial incentive program if that consumer has first given their consent. Gathering consent can be as simple as letting consumers check a box that says, e.g., “I would like to receive emails about new products and exclusive discounts.” However, consent does require an affirmative action on the part of the consumer, so using pre-checked boxes would not be not valid.
  • Post a notice of financial incentive
    A necessary component of CCPA consent is that it must be informed. Wherever businesses collect consent for a financial incentive program, they must post a link to a notice that describes the program. This is the notice of financial incentive.

    The NFI must include all of the following:

    1. A succinct summary of the financial incentive
    2. A description of the material terms of the financial incentive, including the categories of personal information that are implicated and the value of the consumer’s data
    3. How the consumer can opt-in to the financial incentive
    4. A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right
    5. An explanation of how the financial incentive is reasonably related to the value of the consumer’s data, including:
      1. A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive, and
      2. A description of the method(s) the business used to calculate the value of the consumer’s data

Calculating the Value of Consumer Data

By far, the biggest challenge of creating an NFI is making a good-faith estimate of the value of the consumer’s data and showing that it is reasonably related to the value of the financial incentive provided. Placing a dollar value on such programs can be difficult, yet enforcement authorities have made it clear that this is an essential component of compliance.

In order to provide some guidance, current regulations state that businesses shall consider one or more of the following while making their estimate:

  1. The marginal value to the business of the sale, collection, or deletion of a consumer’s data
  2. The average value to the business of the sale, collection, or deletion of a consumer’s data.
  3. The aggregate value to the business of the sale, collection, or deletion of consumers’ data divided by the total number of consumers
  4. Revenue generated by the business from sale, collection, or retention of consumers’ personal information
  5. Expenses related to the sale, collection, or retention of consumers’ personal information
  6. Expenses related to the offer, provision, or imposition of any financial incentive
  7. Profit generated by the business from sale, collection, or retention of consumers’ personal information
  8. Any other practical and reasonably reliable method of calculation used in good faith

Example

In case these factors don’t make you feel any more confident in calculating the value of consumer data, it may be more helpful to use our email newsletter scenario as an example.

Estimating the Value of the Financial Incentive

If the incentive you offer is a discount code you include in your newsletter, chances are it varies from month to month, so you should try to find an average value. In this example, we’ll pretend the coupons have an actual dollar value (e.g., $5 off your next purchase, or 10% off an item that’s listed at $25), and you offer one coupon per month. We simply add up the values of all the coupons for the last year, and then divide by 12.

You don’t have to provide all of the numbers you used; you can just add a statement such as “We estimate the average monthly value of discounts offered to be approximately eight dollars.”

Estimating the Value of Consumer Data

This will likely be trickier, and you must also describe the methods you used to make the estimate. Let’s say your business has an average monthly revenue of $220,000, and your marketing team estimates that sending out a monthly newsletter results in about 10% higher sales every month, so roughly $20,000 can be attributed to the newsletter. If you send the newsletter to 1,000 people, you can estimate the value per recipient to be $20 per month.

Again, you don’t have to provide all of these figures, just a description of your method and the final estimate of the value. Here you might say, “Based on our estimates of increased sales figures associated with our newsletter, divided by the total number of recipients, we estimate the value of each recipient’s data to be approximately $20 per month.”

Get Help with Your Privacy Compliance

Privacy compliance is complicated, and it’s getting more complicated as a growing list of states pass their own legislation. Fulfilling the many requirements like posting a notice of financial incentive or creating a data retention policy can quickly become overwhelming for companies that don’t have in-house privacy experts.

TrueVault US is an attorney-designed software that helps businesses become compliant with privacy laws from across the United States with minimal effort. Even if you’re starting from zero compliance, you can have all your privacy notices up and be ready to respond to consumer requests in as little as a few hours. Onboard your vendors, create a data map, and more with guidance from TrueVault.

To learn more about TrueVault US, contact our team today.

Schedule Call