The California Consumer Privacy Act (CCPA) is a landmark data privacy legislation in the United States. It provides new rights for California's residents, holds companies to a higher standard of data protection, and imposes stringent penalties on violators. (It was amended by the CPRA, which took effect in January, 2023.)
In essence, compliance with the CCPA (CPRA) is not something to be taken lightly.
One very important but often overlooked provision under the law is for certain businesses to provide a notice of financial incentive to their customers.
More specifically, if your business operates loyalty schemes by offering financial incentives like discounts, rewards, or free products to consumers in exchange for their personal information, then you need to publish a notice of financial incentive.
In the article below, we'll clarify what the CCPA/CPRA's notice of financial incentive is all about, what it requires, and how your business can comply accordingly.
But first, let's make sure we're clear on how the CCPA (CPRA) works and which businesses must comply with its provisions.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
-
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
-
At Step 2, add in information about your business.
-
At Step 3, select a plan for the Cookie Consent.
-
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
<head>
</head>
section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
- 1. CCPA (CPRA) Overview
- 1.1. Who the CCPA (CPRA) Applies to
- 2. What is the CCPA (CPRA) Notice of Financial Incentive?
- 3. What Must a CCPA/CPRA-compliant Notice of Financial Incentive Include?
- 3.1. A Concise Summary
- 3.2. A Description of the Material Terms
- 3.3. How to Opt In
- 3.4. How to Withdraw (Opt Out)
- 3.5. The Relation of Financial Incentive to the Value of Data
- 4. Examples of Financial Incentive Notices
- 5. Best Practices for Compliance With CCPA (CPRA) Notices Requirements
- 6. Summary
CCPA (CPRA) Overview
The CCPA (CPRA) was signed into law on June 28, 2018, and took effect on January 1, 2020. As a comprehensive privacy law enacted to protect personal information, the CCPA (CPRA) has a notable impact on consumers and certain businesses in California.
Essentially, the law grants consumers several privacy rights and applies responsibilities of transparency and accountability to businesses in their use of personal information.
According to the CCPA (CPRA), personal information refers to:
"information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
It should be noted that the CCPA/CPRA's definition of personal information has been described as the broadest of any other U.S. privacy law. That is to say, this definition covers a substantial list of identifiers, including but not restricted to:
- Full names
- Aliases/nicknames/usernames
- Mailing addresses
- IP addresses
- Email addresses
- Browser history/cookies
- Passport numbers
- Driver's license numbers
Basically, as long as a piece of information can be reasonably linked (even indirectly) to a consumer or household, it constitutes personal information under the CCPA (CPRA).
The CPRA's amendment expanded this to include sensitive personal information, such as policital affiliation, sexual orientation and health data.
However, personal information does not include publicly available information or "de-identified information." De-identified information is any data that has been stripped of all personally identifiable information.
Thanks to the CCPA/CPRA's stringent provisions, consumers now have significantly more control over how their personal information may be collected, used, and sold by companies.
In short, the CCPA (CPRA):
- Is founded on the principles of accountability, transparency, and control
- Provides new rights for Californians, including the right to know, access, delete, opt-in (for minors), and opt out of the sale of their personal information, as well as the right to non-discrimination
- Applies several responsibilities to companies under its scope
- Imposes fines and other penalties on companies that violate its provisions
Who the CCPA (CPRA) Applies to
The CCPA (CPRA) applies to your business if it operates in California or sells products or services to the residents of California, and either one of the following applies:
- Your annual gross revenue exceeds $25 million
- You buy, sell, receive for commercial purposes, or share for commercial purposes, the personal information of at least 100,000 consumers, households, or devices each year, or
- You derive at least 50 percent of your annual revenue from selling or sharing the personal information of consumers
It is crucial to note that the CCPA (CPRA) does not apply to service providers (i.e., entities that operate on behalf of other businesses).
Now that we're clear on how the CCPA (CPRA) works and who it applies to, let's see what the CCPA/CPRA's notice of financial incentive is all about.
What is the CCPA (CPRA) Notice of Financial Incentive?
A notice of financial incentive is one of the four consumer notices that must be provided by certain businesses to ensure total compliance with the CCPA (CPRA). Note that not all businesses are required to provide this notice.
According to the CCPA (CPRA), financial incentive refers to:
"a program, benefit, or other offering, including payments to consumers as compensation, for the disclosure, deletion, or sale of personal information."
As a business subject to the CCPA (CPRA), you are required to provide a notice of financial incentive only if:
- You run a financial incentive program (e.g., loyalty schemes) to obtain the personal information of consumers, or
- You offer a price or service difference to consumers in exchange for their personal information
To put this in context, if you run loyalty schemes like providing coupons in exchange for consumers' contact details or offering discounts in exchange for signing up to receive promotional emails, then you need to provide a notice of financial incentive to avoid violating the CCPA (CPRA).
The purpose of this notice is to ensure that consumers are aware of when their information may be collected, used, sold, or disclosed in exchange for a financial benefit before they decide whether to participate in your loyalty scheme.
The CCPA itself states:
"The purpose of the notice of financial incentive is to explain to the consumer the material terms of a financial incentive or price or service difference the business is offering so that the consumer may make an informed decision about whether to participate."
Prior to the introduction of the notice of financial incentive, compliance in this regard has been notably complicated for businesses that operate loyalty schemes.
This is because the CCPA/CPRA's right to non-discrimination explicitly states that businesses must not discriminate against consumers who choose to exercise their privacy rights. In other words, you cannot charge a higher price or deny such consumers products and services.
It later became apparent that this right directly contradicts the ability of a business to offer financial incentives or different prices or services through loyalty schemes.
As a result, the CCPA (CPRA) and the California Attorney General's final proposed regulation includes a provision that allows businesses to offer financial incentives to consumers in exchange for personal information as long as the following conditions are met:
- The financial incentive you offer must be directly related to the actual value your business obtains from a consumer's personal information.
- If your business offers any financial incentive to consumers, you must prominently publish a notice to this effect.
- Your business must obtain initial opt-in consent from consumers that clearly explains the "material terms of the financial incentive program." Additionally, consent must be easily withdrawable by consumers at any time.
- Your business must avoid engaging in financial incentive practices that are "unjust, unreasonable, coercive, or usurious in nature."
Now, let's take a look at what a CCPA/CPRA-compliant notice of financial incentive should contain.
What Must a CCPA/CPRA-compliant Notice of Financial Incentive Include?
Before a notice of financial incentive is considered valid under the CCPA (CPRA), it must satisfy the requirements set forth by the regulation.
To avoid penalties, your CCPA (CPRA) notice must be easy to understand, conspicuously displayed, and clearly explain the terms of your financial incentive program so that consumers can make an informed decision about whether to opt in.
Without further ado, let's take a look at what a CCPA/CPRA-compliant notice of financial incentive must contain.
A Concise Summary
To start off, the CCPA (CPRA) requires you to provide a summary of the specific financial incentive or price, or service difference you offer to consumers in exchange for the receipt of their personal information.
Note that your summary must be concise and easy for consumers to understand.
A Description of the Material Terms
Next, your notice of financial incentive must include a clear description of the material terms of your financial incentive program or price or service difference.
Importantly, your notice must include the categories of personal information involved in the financial incentive scheme and the actual value of the personal information of consumers.
How to Opt In
In the event that a consumer has read and consented to the material terms of your financial incentive program, your notice should clearly explain how the consumer can opt in to the financial incentive program or price or service difference.
How to Withdraw (Opt Out)
Consumers have the right to withdraw (i.e., opt out) from participating in your financial incentive program or price or service difference at any time, and you must bring this to their attention.
Moreover, the CCPA (CPRA) requires you to clearly explain how consumers can exercise their right to opt out of your loyalty scheme.
The Relation of Financial Incentive to the Value of Data
Your notice of financial incentive must also clearly describe how the financial incentive or price or service difference is reasonably related to the value of the consumer's personal information.
According to the CCPA (CPRA), this description must include:
- An estimate in "good faith" of the value of the consumer's personal information that forms the basis for offering the financial incentive or price or service difference, and
- A description of the method used to calculate the value of the consumer's personal information
Finally, note that if your business offers the financial incentive or price or service difference online, your notice may be displayed by providing a link in your website's CCPA-compliant Privacy Policy to the relevant section that contains the notice of financial incentive.
Read our article Updating Your CCPA Privacy Policy for the CPRA for more information.
Here's how BevMo does this in its Privacy Notice:
To get a practical idea of how these requirements may be structured and presented, let's see some examples of financial incentive notices posted by businesses.
Examples of Financial Incentive Notices
Here's a very detailed example from BevMo that complies with every of the requirements laid down by the CCPA (CPRA):
Purchased provides a similar comprehensive notice of financial incentive that also satisfies the standards set by the CCPA (CPRA) as shown below:
Here's another example of a short but concise notice of financial incentive from Qapital that clearly outlines the necessary information:
Now that we're clear on the requirements of a CCPA/CPRA-compliant notice of financial Incentive, let's take a look at some best practices for complying with the requirements of a CCPA (CPRA) notice.
Best Practices for Compliance With CCPA (CPRA) Notices Requirements
In addition to the specified requirements provided above, the CCPA (CPRA) states that your notice of financial incentive must be "designed and presented in a way that is easy to read and understandable to consumers."
In keeping with this requirement, the California Attorney General offers the following guidelines for all CCPA (CPRA) notices:
- Use simple, straightforward language in your notices and avoid technical jargon or "legalese."
- Make sure your notices are clearly and conspicuously posted and are easy for consumers to read on small screens.
- Ensure that your notices are displayed in the language(s) in which your business usually conveys information to consumers.
- Make your notices reasonably accessible to consumers with disabilities. If your notices are provided online, then the CCPA (CPRA) requires that you follow "generally recognized industry standards." However, if you use an alternative format, you should let consumers know.
- Provide your notices at key locations where consumers will come across it before deciding to opt into your financial incentive program or price or service difference.
Summary
On January 28, 2022, California's Attorney General conducted an investigative sweep of businesses operating loyalty schemes and issued them notices of violation with the CCPA.
According to a press release published by the Attorney General, the affected businesses did not provide a notice of financial incentive as required by the CCPA and the proposed regulation. Essentially, the affected businesses were given a period of 30 days to "cure" the violation, after which CCPA penalties would apply.
This event serves as an important reminder for your business to constantly reassess its CCPA (CPRA) compliance strategy and take measures to comply accordingly.
For businesses that operate loyalty schemes, providing a notice of financial incentive is an indispensable requirement.
Here's a quick recap of what your CCPA/CPRA-compliant notice of financial incentive must contain:
- A summary of your financial incentive program
- A description on of the material terms of the program, including the categories of personal information involved
- Guidelines on how consumers can opt into the program
- Notification of consumers' right to withdraw (opt out) from the program
- An explanation of how the financial incentive is related to the value of consumers' information, including a "good faith" estimate of the value and the method for calculating such value
Remember to use simple and straightforward language in your notice. Also, make sure it's readily accessible to consumers and available in alternative formats for disabled consumers.
Finally, note that failure to comply with the CCPA (CPRA) may result in a fine of up to $2,500 for each violation and $7,500 for each intentional violation.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.