California Attorney General Rob Bonta is serious about compliance with the California Consumer Privacy Act (CCPA). So serious, that on January 28, 2022, also known as Data Privacy Day, he announced that his office was commencing an investigative “sweep” of “businesses operating loyalty programs in California” and sent notices of noncompliance to businesses requiring them to cure within thirty days.

According to the AG’s press release, “Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. This notice must clearly describe the material terms of the financial incentive program to the consumer before they opt into the program.” Although the AG did not reveal how many letters were issued, he did say that letters were sent “to major corporations in the retail, home improvement, travel, and food services industries.”

The timing of the issuance of the letters appears to be no coincidence. The AG stated, “On Data Privacy Day, we’re issuing notices to business that operate loyalty programs and use personal information in violation of California’s data privacy law. I urge all businesses in California to take note and be transparent about how you’re using your customer’s data. My office continues to fight to protect consumer privacy, and we will enforce the law.”

Warnings from a regulator are words to follow closely. If you offer a loyalty program, these words from the enforcer of the CCPA are clear and strong. If you haven’t implemented a CCPA compliance program, there is no better time than now.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.