The groundbreaking settlement focuses on California Consumer Privacy Act ("CCPA") violations involving sales of data and honoring global privacy controls.

On August 24, 2022, California Attorney General Rob Bonta announced his office's first privacy enforcement action and settlement against a publicly disclosed entity, Sephora, Inc., for violations of the CCPA, including the failure to provide notice of sales of personal information. Prior to this announcement, the California Attorney General's Office issued only generalized summaries of CCPA enforcement actions without disclosing the names of enforcement subjects. Last week's settlement announcement of a $1.2 million penalty against Sephora signals enhanced enforcement for violations of CCPA's privacy provisions.

The California Attorney General alleged that Sephora failed to comply with the CCPA in three ways: (i) it did not disclose to consumers that it was selling their personal information; (ii) it failed to process consumer requests to opt out of sale via user-enabled global privacy controls; and (iii) it did not fix these violations within the 30-day CCPA cure period. As part of the settlement, Sephora agreed to update its consumer privacy disclosures to indicate that it sells consumer personal information, will allow consumers to opt out of the sale, and revise its agreements with third-party service providers to restrict third parties' use of consumer personal information. The settlement also requires Sephora to submit to the California Attorney General regular compliance reports for two years.

Two Insights Into California Attorney General's Enforcement Priorities

First, this enforcement action underscores the importance of the global privacy control ("GPC"), a mechanism via which users can signal to businesses that they do not want their personal information sold. The GPC-related provisions of the settlement were a significant focus of both the press release and the settlement order.

Second, the settlement reflects the California Attorney General's view that a "sale" of personal information occurs where a business allows a third party—e.g., an analytics provider—to collect consumer personal information for the third party's own commercial benefit in exchange for providing free services to the business. The settlement indicates that a "sale" under the CCPA can capture sharing of data for a third party's benefit even when no monetary consideration has been exchanged.

The settlement indicates increased enforcement risks in California under the CCPA and the upcoming California Privacy Rights Act ("CPRA"). This risk is heightened under the CPRA because it expands certain consumer rights and protections that become effective on January 1, 2023. For more information on the CPRA and its rulemaking, see our client alert here. Businesses should continue to monitor these developments and frequently review their CCPA/CPRA compliance program to manage this increased enforcement risk.