Among the various requirements under US state comprehensive privacy laws, those that relate to loyalty programs may be some of the most confusing. Only three states — California, Colorado and Florida — regulate these programs. How they do this varies, and the level of detail contained in the laws also varies. In California and Florida, the laws’ impact on loyalty programs is in how they define “financial incentives.” These are times when a company “pays” a consumer for their personal information. This might occur with a straight cash payment. More common though, is optimized pricing or providing a higher quality of services in exchange for getting personal information. For those who offer loyalty programs, depending on how they are operated, they may viewed as be financial incentives under these laws. Colorado’s comprehensive privacy law, on the other hand, imposes obligations on companies that operate “bona fide loyalty programs.” These are defined as programs where information is processed solely to provide the program’s benefits. Benefits must be -like in California- better pricing or quality of services.

What is required if companies engage in these activities?

  • Notice: Businesses that offer such incentives must provide accessible notice that contain many provisions. Combining the requirements across the three states, the notice must, among other things, clearly explain the material terms of what is being offered, namely what price or service difference is offered (CA, CO, FL). The notice must also give instructions about how to opt-in to the program and how to withdraw from the program (CA, CO, FL). It should also tell people if withdrawing consent will affect participation in the program and if withdrawal of consent will result in program removal, the notice must explain why (CO). It must also explain how the price or service is related to the consumer’s data and how the business arrived at that estimate (CA). Finally, it should describe how exercising consumer rights may impact participation in such a program (CO). This notice should be provided at the point of program registration, either directly or in the form of a link to a specific section of a privacy notice or a separate notice containing these terms (CA, CO).
  • Record keeping: California requires that companies keep records of how they calculate the value of consumer’s data. The calculation can utilize a variety of metrics if the calculation is reasonable and conducted in good faith.
  • Withdrawing consumers: In Colorado, if consumers exercise rights (like the right to have their information deleted) such that participation in the program is impossible, a business can withdraw the consumer from the program. The business has 24 hours before discontinuing the loyalty program benefit or membership to let the consumer know. If a consumer requests that their information be deleted and the Loyalty Program does not require the deleted information for participation, though, then consumers should be allowed to stay enrolled. In California, a request to delete from a loyalty program participant would likely need to be examined under the exception to provide a service requested by the consumer or within the context of the ongoing relationship with the consumer.
  • Opt out signals: Connecticut, Delaware, Montana, and Oregon also briefly mention loyalty programs. Namely, surrounding their requirements on respecting opt-out preference signals. In other words, a signal sent by a platform or technology on behalf of a consumer that communicates the consumer’s choice to opt out of sale or sharing. If the signal interferes with consumer’s ability to participate in the program, the business should notify the consumer.[1]

Putting It Into Practice: With all of these laws, companies should keep in mind that they’ll first need to determine if the law is applicable to their business (remember some states have higher thresholds than others) and when the laws will take effect. If your business offers perks, discounts, or other incentives to consumers in California and Colorado, then keep those states’ requirements in mind, including notice and record keeping.