California Attorney General Announces First CCPA Settlement Against Sephora
On 24 August 2022, the California Attorney General announced a US$1.2 million settlement including injunctive relief terms with cosmetic giant Sephora, Inc. (Sephora), resolving allegations that the company violated the California Consumer Privacy Act (CCPA). Sephora allegedly failed to disclose to consumers it was selling their personal information, and the company did not process user requests to opt out of the sale of personal information submitted via Global Privacy Control, a third-party browser-setting tool for individuals to manage their privacy preferences that allows consumers to opt out of the sale of their personal information by sending a signal to each visited site. Sephora also allegedly failed to cure the violations within the 30-day cure period allowed under the CCPA.
The Black Letter Law and CCPA Requirements
The CCPA defines “selling” consumer personal information as:
"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.1"
Following notice of a reported CCPA violation, the CCPA currently allows 30 calendar days for businesses to cure any violation. Sephora did not cure the reported violation within this allotted period. It is worth noting that there is no cure period under the California Privacy Rights Act, which replaces CCPA on 1 January 2023.
What Is Next For Sephora?
The California Attorney General hopes the US$1.2 million settlement “sends a strong message to businesses that are still failing to comply with California’s consumer privacy law.”2 Additional notices were sent by the California Attorney General to various businesses alleging noncompliance of the CCPA’s requirement for companies to process consumer opt-out requests made via the user-enabled Global Privacy Control, signaling a ramp up in potential enforcement actions. In addition to the monetary penalty, Sephora must:
- Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control;
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the California Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.3
Lessons From the CCPA Enforcement Action
For questions regarding data privacy and information security, please contact our Data Protection, Privacy, and Security team below.
1 Cal. Civ. Code § 1798.140(t)(1).
2 Press Release, Cal. Dep’t of Just., Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.