On Friday, January 28, the world celebrated its 16th Data Protection/Privacy Day. As the privacy community capped off a week of programming and gazed into the future of potential data privacy enforcement [1], the celebrations were quickly overshadowed by California Attorney General Rob Bonta, who announced that his office was targeting businesses operating loyalty programs for potential enforcement actions. According to Bonta, his office issued “notices to business[es] that operate loyalty programs and use personal information in violation of California’s data privacy law.” [2] Accordingly, it is expected that a plethora of businesses may soon receive notices of noncompliance. Once a business receives a notice of noncompliance, that business will have 30 days to cure or fix the alleged violation before an enforcement action is initiated. Enforcement actions may result in penalties of up to $7,500 per violation, which can quickly accrue to significant amounts.

As a reminder, the Attorney General’s office reiterated the requirements under the California Consumer Privacy Act (CCPA) that businesses must follow when offering financial incentives, including certain loyalty programs:

“Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. This notice must clearly describe the material terms of the financial incentive program to the consumer before they opt into the program.” [3]

For more information on CCPA compliance as it pertains to financial incentives, please see our prior article detailing the key considerations for businesses to adhere to.

Indicating a specific focus on brick-and-mortar retailers, Bonta stated that consumer data is not only collected online, but is also “collected when we enter our phone number for a discount at the supermarket; when we use rewards for a free coffee at our local coffee shop; and when we earn points to purchase items at our favorite clothing store.” [4]

Perkins Coie advises businesses on compliance issues with the CCPA and the soon-to-be-effective California Privacy Rights Act (CPRA). Perkins Coie has developed a CCPA Financial Incentives Toolkit to ensure clients meet the stringent requirements of the CCPA relating to financial incentives. The Financial Incentives Toolkit provides sample language for the required financial incentive notice and defensible guidance for preparing the data valuation, which is the most difficult part of the notice of financial incentive that must be prepared. To that end, Perkins Coie has prepared an offering that includes reference to valuation experts that can assist. This process is discussed in chapter 8 of Dominique Shelton Leipzig’s book titled “Implementing the CCPA: A Guide for Global Business, Second Edition.”

Additionally, Perkins Coie is skilled at counseling businesses in responding to enforcement actions. If you are the subject of a letter of noncompliance, we urge you to reach out as soon as possible so that we can assist.


[1] Data Privacy Day and 2022 Predictions (Jan. 28, 2022), https://www.linkedin.com/video/event/urn:li:ugcPost:6878722787763113984/.

[2] On Data Privacy Day, Attorney General Bonta Puts Businesses Operating Loyalty Programs on Notice for Violations of California Consumer Privacy Act (Jan. 28, 2022), https://oag.ca.gov/news/press-releases/data-privacy-day-attorney-general-bonta-puts-businesses-operating-loyalty.

[3] Id.

[4] Id.