On January 28, California Attorney General Rob Bonta announced that his office was beginning an “investigative sweep” of businesses operating consumer loyalty programs in California. The California AG’s press release stated that letters were sent to “major corporations in the retail, home improvement, travel, and food service industries” and allege the recipients’ potential noncompliance with the California Consumer Privacy Act (CCPA)’s requirement that the material terms of the financial incentive program are clearly described. Under the CCPA, businesses that offer consumers promotions, discounts, and other deals in exchange for collecting, keeping, or selling a consumer’s personal information must provide a “notice of financial incentive” that clearly describes the material terms of the financial incentive program to the consumer prior to opting in. Recipients of a CCPA notice are given 30 days to cure and come into compliance with the law before an enforcement action can be initiated. Failure to comply could place a business at risk of civil penalties.

This announcement is just the latest in a series of actions taken by the California AG since he began enforcing the CCPA in July 2020 and signals his continued focus on consumer data privacy. After one year of enforcement, Attorney General Bonta released a list of exemplar CCPA enforcement actions that his office had taken, focusing primarily on public representations by companies on their websites. This effort appears to dovetail on those early enforcement activities, and Troutman Pepper expects the California AG to begin evaluating a company’s privacy practices, as articulated in public-facing privacy policies, with actual business activities moving forward.

The notice serves as a reminder to all companies doing business with California customers to ensure their privacy policies are complete and accurate, and that compliance is well documented to avoid potentially onerous enforcement actions by the California AG, especially with the California Privacy Protection Agency (CPPA) stepping up to enforce provisions of the CPRA in 2023. Troutman Pepper’s regulatory team monitors developments like these as it counsels clients in the evolving landscape of cybersecurity and data privacy laws and regulations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Stephen C. Piepgrass Stephen C. Piepgrass

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies,

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries. He also has experience advising clients on data and privacy issues, including handling complex investigations into data incidents by state attorneys general other state and federal regulators. Additionally, Stephen provides strategic counsel to Troutman Pepper’s Strategies clients who need assistance with public policy, advocacy, and government relations strategies.

Photo of Ashley L. Taylor, Jr. Ashley L. Taylor, Jr.

Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations…

Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.

Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Photo of Daniel Waltz Daniel Waltz

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.