Back to News

Loyalty Programs Trigger CCPA Noncompliance Notices

On January 28th, Attorney General Rob Bonta announced an investigative sweep of several businesses operating loyalty programs and sent notices alleging noncompliance with the California Consumer Privacy Act (CCPA). More specifically, letters were sent to “major corporations in the retail, home improvement, travel, and food services industries.” Companies will have 30 days to cure and come into compliance with the law.

As background, under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. This notice must clearly describe the material terms of the financial incentive program to the consumer before they opt into the program.

“In the digital age, it’s easy to forget that our data isn’t only collected when we go online. It's collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store,” said Bonta. “We may not always realize it, but these brick and mortar stores are collecting our data – and they’re finding new ways to profit from it. On Data Privacy Day, we’re issuing notices to business that operate loyalty programs and use personal information in violation of California's data privacy law. I urge all businesses in California to take note and be transparent about how you're using your customer's data. My office continues to fight to protect consumer privacy, and we will enforce the law.”

For more information about the CCPA, visit