Financial incentive program terms disclosed; opt-in required

Why it matters

CCPA § 1798.125(b) permits financial incentive programs — discounts, loyalty points, free-tier upgrades in exchange for allowing data use — but imposes strict conditions: material terms disclosed before enrollment, a good-faith estimate of the monetary value of the consumer's data, explicit opt-in (not auto-enrollment), and the ability to withdraw at any time. A referral program that offers credits for sharing contact data with no policy disclosure, or a loyalty program that enrolls all registered users by default, violates all of these conditions simultaneously. The "value of personal information" disclosure is the most commonly missed requirement and the one regulators have specifically called out in guidance.

Remediation

Add a Financial Incentive Programs section to your privacy policy and convert any auto-enrolled program to an explicit opt-in with a distinct UI action.

## Financial Incentive Programs (privacy policy section)

**[Program Name]**: We offer [benefit, e.g., 10% discount] to consumers who allow us
to use their email for personalized marketing.

Estimated value of consumer data: approximately $[X] per consumer per year,
calculated based on [methodology, e.g., cost of equivalent paid acquisition].

To join: click "Join [Program]" in account settings — affirmative consent required.
To withdraw: visit account settings at any time; withdrawal does not affect
your access to the standard service.

In the UI, replace any auto-enrollment on signup with a distinct checkbox or modal that requires a deliberate action. Never bundle consent to a financial incentive program into the main terms-of-service acceptance. See src/app/settings/page.tsx for the appropriate placement.

Detection

ID: ccpa-readiness.privacy-disclosures.financial-incentive-disclosure
Severity: medium
What to look for: Look for any program where consumers receive a benefit in exchange for providing personal information or allowing data use: loyalty points, discounts, free tier upgrades, referral bonuses, or any other valuable consideration tied to data sharing. CCPA/CPRA categorizes these as "financial incentive programs" and requires: (1) clear disclosure of the material terms before the consumer opts in, (2) an explanation of the good-faith estimate of the monetary value of the consumer's data to the business, (3) explicit opt-in consent (not opt-out), and (4) the ability to withdraw from the program at any time. Check the privacy policy for a "Financial Incentive" section. Check whether any such program requires explicit opt-in rather than passive enrollment. Count all instances found and enumerate each.
Pass criteria: If any financial incentive program exists, its material terms are disclosed in the privacy policy (including the estimated value of consumer data), consumers must explicitly opt-in, and they can withdraw at any time without loss of the standard service. At least 1 implementation must be confirmed.
Fail criteria: Financial incentive program exists but material terms are not disclosed in the privacy policy. Program enrolls consumers by default (opt-out structure instead of opt-in). No disclosure of the estimated monetary value of consumer data.
Skip (N/A) when: Application has no financial incentive programs — no loyalty points, discounts, or other benefits tied to PI collection or data sharing. Document that this is the case.
Detail on fail: Example: "Referral program found (src/app/referral/) — offers credits in exchange for sharing contact data — but no financial incentive disclosure in privacy policy and no monetary value estimate." or "Loyalty program automatically enrolls all registered users without separate opt-in.".

Remediation: Add a Financial Incentives section to your privacy policy and implement opt-in enrollment:

## Financial Incentive Programs (add to privacy policy)

We offer the following programs that involve the use of your personal information:

**[Program Name]**: We offer [describe benefit, e.g., "10% discount on purchases"] to consumers
who allow us to use their email address for personalized marketing.

Estimated value of consumer data: We estimate the value of the personal information
collected through this program to be approximately $[X] per consumer per year, based on
[methodology, e.g., "the cost of acquiring equivalent marketing leads through paid channels"].

To participate: Click "Join [Program Name]" in your account settings. Participation is
voluntary and requires your affirmative consent.

To withdraw: You may withdraw from the program at any time by visiting your account settings
and clicking "Leave [Program Name]." Withdrawal does not affect your access to our standard
service.

Implement explicit opt-in in the UI: never auto-enroll, always require a distinct affirmative action (checkbox, button click with confirmation) to join a financial incentive program.

Why it matters

Remediation

Add a Financial Incentive Programs section to your privacy policy and convert any auto-enrolled program to an explicit opt-in with a distinct UI action.

## Financial Incentive Programs (privacy policy section)

**[Program Name]**: We offer [benefit, e.g., 10% discount] to consumers who allow us
to use their email for personalized marketing.

Estimated value of consumer data: approximately $[X] per consumer per year,
calculated based on [methodology, e.g., cost of equivalent paid acquisition].

To join: click "Join [Program]" in account settings — affirmative consent required.
To withdraw: visit account settings at any time; withdrawal does not affect
your access to the standard service.

Detection

ID: ccpa-readiness.privacy-disclosures.financial-incentive-disclosure
Severity: medium
What to look for: Look for any program where consumers receive a benefit in exchange for providing personal information or allowing data use: loyalty points, discounts, free tier upgrades, referral bonuses, or any other valuable consideration tied to data sharing. CCPA/CPRA categorizes these as "financial incentive programs" and requires: (1) clear disclosure of the material terms before the consumer opts in, (2) an explanation of the good-faith estimate of the monetary value of the consumer's data to the business, (3) explicit opt-in consent (not opt-out), and (4) the ability to withdraw from the program at any time. Check the privacy policy for a "Financial Incentive" section. Check whether any such program requires explicit opt-in rather than passive enrollment. Count all instances found and enumerate each.
Pass criteria: If any financial incentive program exists, its material terms are disclosed in the privacy policy (including the estimated value of consumer data), consumers must explicitly opt-in, and they can withdraw at any time without loss of the standard service. At least 1 implementation must be confirmed.
Fail criteria: Financial incentive program exists but material terms are not disclosed in the privacy policy. Program enrolls consumers by default (opt-out structure instead of opt-in). No disclosure of the estimated monetary value of consumer data.
Skip (N/A) when: Application has no financial incentive programs — no loyalty points, discounts, or other benefits tied to PI collection or data sharing. Document that this is the case.
Detail on fail: Example: "Referral program found (src/app/referral/) — offers credits in exchange for sharing contact data — but no financial incentive disclosure in privacy policy and no monetary value estimate." or "Loyalty program automatically enrolls all registered users without separate opt-in.".

Remediation: Add a Financial Incentives section to your privacy policy and implement opt-in enrollment:

## Financial Incentive Programs (add to privacy policy)

We offer the following programs that involve the use of your personal information:

**[Program Name]**: We offer [describe benefit, e.g., "10% discount on purchases"] to consumers
who allow us to use their email address for personalized marketing.

Estimated value of consumer data: We estimate the value of the personal information
collected through this program to be approximately $[X] per consumer per year, based on
[methodology, e.g., "the cost of acquiring equivalent marketing leads through paid channels"].

To participate: Click "Join [Program Name]" in your account settings. Participation is
voluntary and requires your affirmative consent.

To withdraw: You may withdraw from the program at any time by visiting your account settings
and clicking "Leave [Program Name]." Withdrawal does not affect your access to our standard
service.

Implement explicit opt-in in the UI: never auto-enroll, always require a distinct affirmative action (checkbox, button click with confirmation) to join a financial incentive program.

Financial incentive program terms disclosed; opt-in required

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Financial incentive program terms disclosed; opt-in required

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History