On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million dollar settlement with Sephora to account for alleged violations of the California Consumer Privacy Act (CCPA). This is the first CCPA enforcement action taken by the California AG that has resulted in a fine and settlement.
The Attorney General’s Complaint alleged Sephora violated the CCPA, and failed to cure such violations after receiving 30 days’ notice, by failing to (i) disclose that Sephora sold consumer information to third parties; (ii) post a “Do Not Sell My Personal Information” link on its website; (iii) have sufficient service provider agreements in place with third-parties to prevent transfers of data to those third parties from constituting “sales” under the CCPA; and (iv) process opt out preference signals received from user-enabled global privacy controls.
According to the Complaint, Sephora used third-party tracking technologies that collect consumer information automatically (like cookies and pixels) to collect consumers’ personal information. These tools were configured to enable third-party digital advertisers to monitor information such as items consumers put in their online shopping carts. Those third parties allegedly used these details to create profiles of Sephora consumers, and offer Sephora online advertising space to target those specific consumers.
Here, we highlight 2 key takeaways from the Sephora Complaint and Settlement:
- The California Attorney General takes the definitive position that sharing personal information with digital advertising and analytics providers constitutes a “sale” under the CCPA unless the business has contractual terms in place that strictly adhere to CCPA service provider standards.
The Complaint states “If companies make consumer personal information available to third parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be ‘selling’ personal information under the law. …Sephora’s decision to provide third parties including ‘advertising networks, business partners, [and] data analytics providers’ with access to its customers’ data in exchange for services from those entities was a sale of personal information defined by the CCPA.” Notably, the Complaint states that Sephora received discounted advertising and analytics services for providing the consumer information to the third-parties and that Sephora had knowledge of such discounts. This could be a key factor as businesses consider their relationships with digital advertising and analytics vendors.
- Not responding to Global Privacy Controls (GPC) is a violation of the CCPA.
Sephora failed “to treat the GPC as a consumer’s opt-out of the sale of their personal information and continu[ed] to sell personal information to third parties despite receiving a GPC signal.” This eliminates doubt as to another policy position of the California AG. The AG is making clear that it views global privacy control mechanisms as mandatory under the CCPA.
In addition to the payment, Sephora will need to conduct annual reviews of its websites and mobile applications to assess their compliance with the CCPA. After conducting the reviews, Sephora will provide a report to the state of California, which will include a list of entities with which Sephora shares consumers’ personal information.
California privacy law continues to rapidly evolve. Many common business practices are coming within the scope of new privacy-related standards and restrictions, sometimes abruptly. We will continue to monitor the activities of the California Attorney General and the California Privacy Protection Agency (“CPPA”) in their respective enforcement efforts, the rulemaking process ongoing with the CPPA, and the end of the legislative session for any potential updates on issues such as the status of employee personal information under the CCPA.