On January 28, California Attorney General Rob Bonta announced that his office was beginning an “investigative sweep” of businesses operating consumer loyalty programs in California. The California AG’s press release stated that letters were sent to “major corporations in the retail, home improvement, travel, and food service industries” and allege the recipients’ potential noncompliance with the California Consumer Privacy Act (CCPA)’s requirement that the material terms of the financial incentive program are clearly described. Under the CCPA, businesses that offer consumers promotions, discounts, and other deals in exchange for collecting, keeping, or selling a consumer’s personal information must provide a “notice of financial incentive” that clearly describes the material terms of the financial incentive program to the consumer prior to opting in. Recipients of a CCPA notice are given 30 days to cure and come into compliance with the law before an enforcement action can be initiated. Failure to comply could place a business at risk of civil penalties.

This announcement is just the latest in a series of actions taken by the California AG since he began enforcing the CCPA in July 2020 and signals his continued focus on consumer data privacy. After one year of enforcement, Attorney General Bonta released a list of exemplar CCPA enforcement actions that his office had taken, focusing primarily on public representations by companies on their websites. This effort appears to dovetail on those early enforcement activities, and Troutman Pepper expects the California AG to begin evaluating a company’s privacy practices, as articulated in public-facing privacy policies, with actual business activities moving forward.

The notice serves as a reminder to all companies doing business with California customers to ensure their privacy policies are complete and accurate, and that compliance is well documented to avoid potentially onerous enforcement actions by the California AG, especially with the California Privacy Protection Agency (CPPA) stepping up to enforce provisions of the CPRA in 2023. Troutman Pepper’s regulatory team monitors developments like these as it counsels clients in the evolving landscape of cybersecurity and data privacy laws and regulations.