Loyalty programs can save you a lot of money, right? You can get discounts, upgrades and all kinds of goodies completely free – just by providing your email address or phone number! Right?
Well, yes and no. These programs do come with a cost, as much of the data winds up being shared, sold and otherwise used for profit. California wants to be sure that consumers are being told just what that cost is, and the state's attorney general is warning businesses it's time to get with the program.
It's all the result of something called the California Consumer Privacy Act (CCPA). It went into effect in 2020 and Attorney General Rob Bonta is stepping up enforcement this year. He warns businesses they need to be sure they're complying with the law, which at the moment is unique to California.
The CCPA gives consumers:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Consumers must be told
Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive.
The notice must clearly describe the material terms of the financial incentive program to the consumer before they opt into the program. Letters have gone out to major corporations in the retail, home improvement, travel, and food services industries, giving them 30 days to comply with the law.
“In the digital age, it’s easy to forget that our data isn’t only collected when we go online. It's collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store,” Bonta said in a recent news release.
“We may not always realize it, but these brick and mortar stores are collecting our data – and they’re finding new ways to profit from it," he said.
This won't affect the corner bodega or that one-person barber shop at the mall. It applies to businesses that:
1) have a gross annual revenue of more than $25 million; or
(2) derive more than 50% of their annual income from the sale of California consumer personal information; or
(3) buy, sell or share the personal information of more than 50,000 California consumers annually.
It's worth noting that businesses don't have to be physically located in California as long as they meet one of the three stipulations.
Warnings issued to violators
Notices of apparent violation have been issued to entities including data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers.
As part of the crackdown, Bonta's office has established a new online tool that lets consumers directly notify businesses of potential violations. The form can be used to notify any business that does not post an easy-to-find “Do Not Sell My Personal Information” link on their website.
Under the law, Bonta can levy a civil penalty of not more than $2,500 per violation or $7,500 per intentional violation.
Ten companies were caught violating the law in its first year, 2021. All took action to comply with the measure and no fines were levied. The businesses ranged from an animal adoption agency to a large supermarket chain, according to TechTarget.