California Attorney General Announces First CCPA Settlement Against Sephora
On 24 August 2022, the California Attorney General announced a US$1.2 million settlement including injunctive relief terms with cosmetic giant Sephora, Inc. (Sephora), resolving allegations that the company violated the California Consumer Privacy Act (CCPA). Sephora allegedly failed to disclose to consumers it was selling their personal information, and the company did not process user requests to opt out of the sale of personal information submitted via Global Privacy Control, a third-party browser-setting tool for individuals to manage their privacy preferences that allows consumers to opt out of the sale of their personal information by sending a signal to each visited site. Sephora also allegedly failed to cure the violations within the 30-day cure period allowed under the CCPA.
The Black Letter Law and CCPA Requirements
The CCPA defines “selling” consumer personal information as:
"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.1"
When a business “sells” personal information, the CCPA requires businesses to disclose that fact to any consumers that provided the business with personal information, while also giving those consumers the option to opt out of the sale of their personal information. The right to opt out must be prominently displayed on the business’ website or privacy policy via a link. By clicking the opt-out link, consumers should be presented with the option to direct the business to refrain from selling their personal information. Additionally, the California Attorney General has stated that online third-party privacy management tools, like Global Privacy Control, must be honored by companies as if consumers had submitted opt-out requests directly on the business’ websites. Global Privacy Control essentially allows consumers to exercise opt-out requests without consumers having to submit an individual request to every website they have visited.
Following notice of a reported CCPA violation, the CCPA currently allows 30 calendar days for businesses to cure any violation. Sephora did not cure the reported violation within this allotted period. It is worth noting that there is no cure period under the California Privacy Rights Act, which replaces CCPA on 1 January 2023.
What Is Next For Sephora?
The California Attorney General hopes the US$1.2 million settlement “sends a strong message to businesses that are still failing to comply with California’s consumer privacy law.”2 Additional notices were sent by the California Attorney General to various businesses alleging noncompliance of the CCPA’s requirement for companies to process consumer opt-out requests made via the user-enabled Global Privacy Control, signaling a ramp up in potential enforcement actions. In addition to the monetary penalty, Sephora must:
- Clarify its online disclosures and privacy policy to include affirmative representations that it sells personal information;
- Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control;
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the California Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.3
Lessons From the CCPA Enforcement Action
With additional notices being issued by the California Attorney General, it is clear that there is a heightened scrutiny that further increases the need for companies to understand how they collect and use personal information from website users and ensure their privacy policies contain accurate disclosures. If personal information is “sold,” as per the CCPA’s definition, businesses need to verify that their privacy policy conspicuously and expressly says so and provide individuals with an opt-out mechanism that is easy to use. Additionally, businesses with websites that do not recognize signals like those triggered by the Global Privacy Control are at risk of an enforcement action if they do not implement solutions to track and comply with users’ opt-out requests.
Contact
For questions regarding data privacy and information security, please contact our Data Protection, Privacy, and Security team below.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.