California Attorney General Rob Bonta announced a settlement with Sephora, Inc. (Sephora) in August, resolving allegations that the company violated the California Consumer Privacy Act (CCPA), California’s first-in-the-nation landmark privacy law. After conducting an enforcement sweep of online retailers, Attorney General Bonta alleged that Sephora failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt-out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the 30-day period currently allowed by the CCPA. Today’s settlement is part of ongoing efforts by the Attorney General to enforce California’s comprehensive consumer privacy law that allows consumers to tell businesses to stop selling their personal information to third parties, including those signaled by the Global Privacy Control (GPC).
“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer’s data and ignore requests to opt-out of its sale,” said Attorney General Bonta. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
The settlement with Sephora underscores the critical rights that consumers have under CCPA to fight commercial surveillance. Consumers are constantly tracked when they go online. Many online retailers allow third-party companies to install tracking software on their website and in their app so that third parties can monitor consumers as they shop. These third parties track all types of data – in Sephora’s case, the third parties could create profiles about consumers by tracking whether a consumer is using a MacBook or a Dell, the brand of eyeliner or the prenatal vitamins that a consumer puts in their “shopping cart,” and even a consumer’s precise location. Retailers like Sephora benefit in kind from these arrangements, which allow them to more effectively target potential customers.
Sephora’s arrangement with these companies constituted a sale of consumer information under the CCPA, and it triggered certain basic obligations, such as telling consumers that they are selling their information and allowing consumers to opt-out of the sale of their information. Sephora did neither.
Today’s settlement requires Sephora to pay $1.2 million in penalties and comply with important injunctive terms. Specifically, Sephora must:
- Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
- Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control;
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.
As part of his ongoing efforts to enforce CCPA, Attorney General Bonta also sent notices today to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC. A global privacy control allows consumers to opt-out of all online sales in one fell swoop by broadcasting a “do not sell” signal across every website they visit, without having to click on an opt-out link each time. Under the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General. The CCPA’s notice and cure provision, which requires businesses to receive notice and opportunity to cure before they can be held accountable by the Attorney General for CCPA violations, will expire on January 1, 2023.
Attorney General Bonta is committed to the robust enforcement of California’s groundbreaking data privacy law. Since July 1, 2020, the Attorney General has issued notices to a wide array of businesses alleging noncompliance with the CCPA. Notices to cure have been issued to major corporations in the tech, healthcare, retail, fitness, data brokerage, and telecom industries, among others. New examples of notices to cure are available on the CCPA website and include:
- An enforcement sweep of businesses operating loyalty programs that offered financial incentives such as discounts, free items, or other rewards in exchange for personal information without providing consumers with a notice of financial incentive;
- An online advertising business that’s privacy disclosures were not understandable to the average consumer and did not include the required information; and
- A data broker whose “Do Not Sell My Personal Information” link worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests.
For more information about the CCPA, visit the website. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report. Consumers can also directly notify businesses of potential violations using the Consumer Privacy Tool.