Skip to main content
Blog · United States

CCPA and loyalty programs — practical compliance for US small business

May 7, 2026 · 8 min read

Plain-English guide to CCPA / CPRA for loyalty programs. What you can collect, customer rights under California law, what most platforms get wrong, realistic enforcement.

← Back to blog

The California Consumer Privacy Act (CCPA), expanded in 2023 by the California Privacy Rights Act (CPRA), is the most significant US privacy law in years. Even if your business is in Brooklyn or Austin or Seattle, your customers might be Californians, and California’s law follows them.

For a small business owner thinking about launching a loyalty program, the natural worry is: „am I going to accidentally violate CCPA and get a class action lawsuit filed against me?”

Good news: a well-designed digital loyalty program actually makes CCPA compliance simpler, not harder. This guide is the plain-English walkthrough.

Does CCPA apply to my business?

CCPA applies if you meet ANY of these thresholds:

  • Annual gross revenue over $25 million
  • Buy, sell, or share personal information of 100,000+ California consumers/year
  • Derive 50%+ of annual revenue from selling/sharing California consumer data

For a typical small US cafe or shop, you probably don’t hit these thresholds — meaning CCPA technically doesn’t apply to you. But there are good reasons to comply anyway:

  • Other states are passing similar laws (Virginia, Colorado, Connecticut, Utah, Texas all have CCPA-style legislation)
  • Customers expect modern privacy practices regardless of legal threshold
  • If you ever scale past the threshold, having compliance built in from day one is much easier than retrofitting
  • If your loyalty platform vendor handles CCPA correctly, compliance is essentially automatic for you

What CCPA actually requires

CCPA gives California consumers five core rights:

  • Right to know. Consumer can request what personal information you’ve collected, used, disclosed, or sold about them.
  • Right to delete. Consumer can request you delete their personal information (with exceptions for legal/business obligations).
  • Right to opt out of sale/sharing. Consumer can opt out of having their data sold or shared with third parties for cross-context advertising.
  • Right to correct. Consumer can request correction of inaccurate personal information.
  • Right to non-discrimination. You can’t discriminate against consumers for exercising CCPA rights (e.g., charge them more for products).

You’re obligated to:

  • Provide a privacy policy explaining what you collect and why
  • Disclose to consumers at or before collection what categories of data you’re collecting
  • Honor consumer rights requests within 45 days (extendable by another 45)
  • Provide a clear „Do Not Sell or Share My Personal Information” link if you sell/share data

What you should collect (data minimization)

CCPA principle similar to GDPR: collect only what you need.

Reasonable to collect for a loyalty program:

  • Email address — needed for account confirmation and reward notifications
  • Points balance and transaction history within the program
  • Date of birth — only if offering a birthday reward (and only month + day, not full year)

Don’t collect without specific reason:

  • Full legal name — only if you’ll address customers by name
  • Phone number — if you communicate via the app, not needed
  • Home address — no purpose in a loyalty program
  • Any sensitive personal information (health, immigration status, religion, etc.) — absolutely not

Privacy policy — what to put in it

Your privacy policy must include:

  • Categories of personal information you collect
  • Categories of sources of that information
  • Business or commercial purposes for collecting
  • Categories of third parties you share with
  • Whether you sell or share for advertising (and how to opt out)
  • Specific consumer rights and how to exercise them
  • Description of authorized agent process (consumers can designate someone to make requests for them)
  • Contact information for privacy inquiries

Pointify provides a complete CCPA-compliant privacy policy template at business signup. The current Pointify privacy policy already complies; if you use Pointify as your loyalty platform, the platform-side compliance is taken care of.

The data processing agreement

If you use a third-party loyalty platform, that platform processes data on your behalf. CCPA requires you to have a Data Processing Agreement (similar to GDPR’s Article 28) covering:

  • Limited purposes for which the platform may process the data
  • Restriction on combining data with other sources
  • Restriction on selling/sharing the data
  • Notification requirements for breaches
  • Right to audit the platform’s compliance

Pointify provides a standard DPA at business signup that covers both CCPA and GDPR requirements. If a loyalty platform won’t sign a DPA, that’s a red flag — you can’t comply with CCPA without one.

What „don’t sell my data” means in practice

The most-publicized CCPA right is the „Do Not Sell” opt-out. For loyalty programs, this typically means:

  • Don’t share customer email addresses with advertising platforms (Facebook, Google) for retargeting
  • Don’t enrich customer data with third-party data brokers
  • Don’t sell customer lists to other businesses

If your loyalty platform doesn’t do any of these (Pointify doesn’t), you don’t actually need a „Do Not Sell” mechanism for that data. But you should still mention in your privacy policy that you don’t sell customer data — it’s a positive trust signal.

Customer rights and how to fulfill them

You have 45 days to fulfill any CCPA rights request (extendable by another 45 with notice). Most loyalty platforms let customers self-serve:

  • Access („right to know”): Customer downloads their data from the app
  • Deletion: Customer deletes their account from the app
  • Correction: Customer edits their profile in the app
  • Opt-out: Customer toggles a setting in the app

Pointify supports all of these in-app, which means you don’t personally have to handle each request.

What enforcement actually looks like

CCPA enforcement is split:

  • The California Attorney General can fine up to $2,500 per violation (or $7,500 for intentional violations)
  • Consumers can sue under the „private right of action” for data breaches involving non-encrypted personal information

For small businesses below the CCPA thresholds, direct enforcement is rare — the AG focuses on larger companies. But the private right of action is a real risk if you have a data breach. Hosting data in encrypted form (which Pointify does by default) eliminates this exposure.

State law sprawl — Virginia, Colorado, Texas, etc.

By 2026, more than 15 US states have CCPA-style privacy laws. Each has slightly different thresholds and rights, but the practical compliance approach is the same: collect minimum data, give consumers access/deletion/opt-out rights, sign DPAs with vendors, host data securely.

If you build for CCPA, you’re largely covered for Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) too. Texas (TDPSA) has slightly different requirements but the same core principles.

Conclusion

CCPA shouldn’t be a reason to avoid running a digital loyalty program. The right platform handles most compliance for you. Key principles: minimize data collected, sign a DPA with the platform, provide a clear privacy policy, support consumer rights from inside the app, encrypt data at rest.

Pointify meets all of these by default. Full description in our privacy policy. If you have CCPA questions before launching, get in touch. More guides: best loyalty app for US small businesses, punch card vs digital, launch a loyalty program in seven days.

Enjoyed this guide? See other articles or get in touch.