Statutes, codes, and regulations
Colorado Administrative Code
Department 900 - Department of LawDivision 904 - Attorney General-Consumer Protection SectionRule 4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 CCR 904-3-6 - DUTIES OF CONTROLLERS
Section 4 CCR 904-3-6.05 - LOYALTY PROGRAMS

4 Colo. Code Regs. § 904-3-6.05

Download
PDF
Current through Register Vol. 47, No. 16, August 25, 2024
Section 4 CCR 904-3-6.05 - LOYALTY PROGRAMS
A. Pursuant to 6-1-1308(1)(d), a Controller is not prohibited from offering Bona Fide Loyalty Program Benefits to a Consumer based on the Consumer's voluntary participation in a Bona Fide Loyalty Program.
B. If a Consumer exercises their right to delete Personal Data such that it is impossible for the Controller to provide a certain Bona Fide Loyalty Program Benefit to the Consumer, the Controller is no longer obligated to provide that Bona Fide Loyalty Benefit to the Consumer. However, the Controller shall provide any available Bona Fide Loyalty Program Benefit for which the deleted Personal Data is not necessary.
C. If a Consumer exercises their right to opt out of the Sale of Personal Data or Processing of Personal Data for Targeted Advertising, such that the exchange of Personal Data needed to obtain a Bona Fide Loyalty Program Benefit through a Bona Fide Loyalty Program Partner is no longer possible, the Controller is no longer obligated to provide that Bona Fide Loyalty Program Benefit to the Consumer.
1. If the Controller's Bona Fide Loyalty Program offers Bona Fide Loyalty Program Benefits that are unrelated to the exchange of Personal Data with a Bona Fide Loyalty Program Partner, the Controller shall continue to provide those Benefits to a Consumer who opts out of the Sale of Personal data or Processing of Personal Data for Targeted Advertising.
2. The sale of Personal Data or Processing of Personal Data for Targeted Advertising that is unrelated to sharing of information with a Bona Fide Loyalty Program Partner is a Secondary Use that requires Consent pursuant to 4 CCR 904-3, Rule 6.08.
D. If a Consumer refuses to Consent to the Processing of Sensitive Data necessary for a personalized Bona Fide Loyalty Program Benefit, the Controller is no longer obligated to provide that personalized Bona Fide Loyalty Program Benefit. However, the Controller shall provide any available, non-personalized Bona Fide Loyalty Program Benefit for which the Sensitive Data is not necessary. A Controller may not condition a Consumer's participation in a Bona Fide Loyalty Program on the Consumer's Consent to Process Sensitive Data unless the Sensitive Data is required for all Bona Fide Loyalty Program Benefits.
E. If a Consumer's decision to exercise a Data Right impacts the Consumer's membership in a Bona Fide Loyalty Program, the Controller shall notify the Consumer of the impact of the Consumer's decision in conformance with 4 CCR 904-3, Rule 3.02 and at least twenty-four (24) hours before discontinuing the Consumer's Bona Fide Loyalty Program Benefit or membership, and must provide a reference or link to the information required by subparagraph F, below.
F. Loyalty Program Disclosures
1. In addition to all other disclosures required by 4 CCR 904-3, Rules 6.03 and 7.03 , a Controller maintaining a Bona Fide Loyalty Program must provide the following disclosures at the point of program registration, either directly, or in the form of a link to the specific section of a privacy notice or terms and conditions containing such information:
a. The categories of Personal Data or Sensitive Data collected through the Bona Fide Loyalty Program that will be Sold or Processed for Targeted Advertising, if any;
b. Categories of Third Parties that will receive the Consumer's Personal Data and Sensitive Data, provided in the level the detail described in 4 CCR 904-3, Rule 6.03 , including whether Personal Data will be provided to Data Brokers;
c. A list of any Bona Fide Loyalty Program Partners, and the Bona Fide Loyalty Program Benefits provided by each Bona Fide Loyalty Program Partner.
d. If a Controller claims that a Consumer's decision to delete Personal Data makes it impossible to provide a Bona Fide Loyalty Program Benefit, then the Controller shall provide an explanation of why the deletion of Personal Data makes it impossible to provide a Bona Fide Loyalty Program Benefit.
e. If a Controller claims that a Consumer's Sensitive Data is required for a Bona Fide Loyalty Program Benefit, then the Controller shall provide an explanation of why the Sensitive Data is required for a Bona Fide Loyalty Program Benefit.
2. Bona Fide Loyalty Program terms and requests for Consent to Process Sensitive Data or Personal Data in connection with the Bona Fide Loyalty Program shall also include a link to the Controller's privacy notice.
G. Example: A Consumer joins a grocery store's Bona Fide Loyalty Program that includes both personalized and non-personalized Bona Fide Loyalty Program Benefits. The grocery store asks the Consumer for Consent to collect Sensitive Data about the Consumer in order to provide personalized Bona Fide Loyalty Program Benefits. When the Consumer refuses Consent, the Controller gives timely notice to the Consumer that it will not provide the personalized Bona Fide Loyalty Program Benefits, but will continue to provide non-personalized Bona Fide Loyalty Program Benefits. Moving forward, the Controller provides only the non-personalized Bona Fide Loyalty Program Benefits following the Consumer's decision to continue to refuse Consent to the collection of Sensitive Data. The Controller is not acting impermissibly because the grocery store is still providing all available non-personalized Bona Fide Loyalty Program Benefits and did not condition the Consumer's participation in the Bona Fide Loyalty Program on the Consumers Consent to process Sensitive Data that is not required for personalized Bona Fide Loyalty Program Benefits.
H. Example: A Consumer joins a hotel chain's Bona Fide Loyalty Program, which provides points that can be applied to obtain discounts for that hotel chain, and for a popular restaurant chain that is not otherwise affiliated with the hotel chain. The restaurant chain requires the hotel chain to provide the Personal Data of each Consumer who wishes to apply the hotel chain's points to obtain restaurant discounts. When the Consumer opts out of the Sale of Personal Data and Processing of Personal Data for Targeted Advertising, the Controller is unable to provide the required information to the restaurant chain. The Controller may discontinue the Bona Fide Loyalty Program Benefit that allows Consumers to use points for discounts for the restaurant chain. However, the hotel chain must still provide all available Bona Fide Loyalty Benefits to be used at the hotel chain.
I. Example: A Consumer joins a retailer's Bona Fide Loyalty Program that offers discounts on products based on the Consumer's purchase history. The retailer wishes to fund the loyalty program, in part, by selling the Consumer's purchase history to a Data Broker. The retailer must obtain the Consumer's consent to Sell the Consumer's Personal Data to the Data Broker because selling Personal Data obtained through a Bona Fide Loyalty Program to a Data Broker is a secondary use.
J. Example: A Consumer exercises their right to opt out of the Processing of Personal Data for Targeted Advertising. An online gaming company gives the Consumer fewer free games through the company's service, arguing that the additional free games are for members of its loyalty program, which requires the use of Personal Data for Targeted Advertising. The company's differential treatment is prohibited if the Processing of Personal Data is not necessary to provide the additional games. However, if the free games are provided by a Bona Fide Loyalty Program Partner that requires the Consumer data for Targeted Advertising through a co-marketing agreement with the Controller, the differential treatment may be appropriate.

4 CCR 904-3-6.05

46 CR 06, March 25, 2023, effective 7/1/2023