August 24, 2022, marked a milestone for the California Consumer Privacy Act (CCPA), the California Attorney General announced the first enforcement and settlement against beauty retailer Sephora.
Since July 2022, the California Attorney General’s (AG) office conducted an investigative sweep of online retailers to check compliance with the CCPA and sent out over 100 notices of alleged CCPA violations. The notices provided a 30-day period for businesses to correct alleged violations before an enforcement measure is taken. Attorney General Rob Bonta stated that after the notices, the “vast majority” of businesses changed their practices to comply with the CCPA.
The State alleged that Sephora violated the CCPA by failing to disclose to consumers it was selling their personal information, failed to process user requests to opt out of sale via user-enabled global privacy controls, and that the company did not cure these violations within the 30-day period of notice. Specifically, the State alleged that Sephora failed to notify its consumers that it had arrangements with third-parties (such as market research firms) where Sephora allowed them to install tracking software on its website and app so that third-parties could monitor consumers as they shopped. Under the terms of the settlement, “sale” included “sale using online tracking technology” which was broadly defined as where a business discloses or makes available consumers’ personal information to third parties through the use of online tracking technologies such as pixels, web beacons, software developer kits, third party library, and cookies in exchange for monetary or other valuable consideration, including personal information or other information such as analytics or free or discounted services. Meaning the idea of “sale” was broader than simply selling information to a third party in exchange for money.
The State considered Sephora’s arrangement with these third-parties a “sale” of consumer information under the CCPA. In short, the State alleged that: “Sephora did not tell consumers that it sold their personal information; instead, Sephora did the opposite, telling California consumers on its website that ‘we do not sell personal information.’”
The State and Sephora have reached a settlement that includes $1.2 million in penalties and as well as injunctive terms including:
-
Allow for consumers to opt-out of the sale of personal info, including via Global Privacy Control
-
Clarify its online disclosures and privacy policy
-
Conform its service provider agreements to the CCPA
-
Provide reports to the Attorney General relating to its sale of personal information
On January 1, 2023, the California Privacy Rights Act (CPRA) takes effect and amends the CCPA to eliminate the cure period and instead only allow the California Privacy Protection Agency (CPPA) discretion to provide time to cure.
In light of the State’s push toward enforcement and the rapidly approaching effective date of the CPRA, businesses must review their compliance efforts with the CCPA and CPRA.