On August 24, California Attorney General Rob Bonta announced the first enforcement action under the California Consumer Privacy Act (CCPA). In a $1.2 million dollar settlement, the Attorney General resolved claims that Sephora, Inc. (Sephora) violated the CCPA by failing to inform consumers that it “sold” their personal information, as defined in the CCPA, and by not properly honoring consumer opt-out requests. This settlement was significant not only because it was the first published settlement of a CCPA enforcement action, but also because it sheds light on how California regulators will interpret the definition of “sale” of personal information under the CCPA.

Background

According to the Attorney General’s complaint, Sephora installed third-party cookies and tracking pixels on its website and mobile app that monitored and profiled user activity to assist Sephora and third-party advertisers with targeted advertising. The consumer data gathered from visitors’ browsers was then packaged and sold by the third-party data company to other businesses seeking to target similar types of consumers. Under the CCPA, making consumer personal information available to third parties and receiving a benefit from the arrangement constitutes the “sale” of personal information, and companies “selling” the information are required to notify consumers of the sale.

According to the Attorney General, Sephora’s conduct constituted a “sale” under the CCPA, but Sephora failed to notify consumers pursuant to the act. The company also allegedly failed to provide consumers with an easy to locate “Do Not Sell My Personal Information” link on its website, as required by the CCPA. Despite being notified by the Attorney General, Sephora failed to cure these alleged violations within 30 days of notice, as currently allowed under the CCPA. Finally, the Attorney General alleged Sephora did not have proper service provider terms in place with its vendors that processed data on the company’s behalf, in further violation of the CCPA.

Under the settlement, Sephora agreed to pay $1.2 million in penalties and to certain undertakings, including:

  • Clarifying its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Providing mechanisms for consumers to opt out of the sale of personal information;
  • Conforming its service provider agreements to the CCPA’s requirements; and
  • Providing reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor GPC.

California Privacy Legislation

The CCPA was passed into law on January 1, 2020, and enforcement began July 1, 2020. Among other things, the CCPA grants consumers the right to know about personal information collected and how it is used and shared, the right to delete personal information collected, the right to opt-out of sales of personal information, and the right to non-discrimination for exercising one’s CCPA rights. For-profit companies that do business in California and (i) have annual gross revenues over $25 million, (ii) derive at least 50-percent of their annual revenues from selling consumers’ personal information, or (iii) annually buy, receive, sell, or share the personal information of more than 50,000 consumers, households, or devices are subject to the CCPA. The CCPA currently includes a 30-day cure period that allows companies an opportunity to correct alleged violations before becoming subject to enforcement, but that allowance expires January 1, 2023.

The California Privacy Rights Act (CPRA), which goes into effect January 1, 2023, will both expand upon the privacy rights protected by the CCPA and add new rights of its own. Notably, it will provide consumers the rights to correct their personal information and to limit the use and disclosure of sensitive personal information. In addition to the Attorney General, a recently formed California Privacy Protection Agency (CPPA) will have enforcement authority under the new law. The CPPA has issued draft regulations and is in the process of promulgating rules pursuant to the CPRA.

Key Takeaways

In light of the Sephora settlement, companies operating in California should be on notice that the Attorney General is actively enforcing the CCPA and should be preparing for the CPRA to go into effect January 1. The Attorney General’ inquiry regarding Sephora began with a June 2021 enforcement sweep of large retailers to determine whether their websites honored customer opt-out preferences via the Global Privacy Control (GPC). GPC is a browser extension designed to notify businesses of consumers’ privacy preferences, which, in the view of the Attorney General, businesses are required to honor under the CCPA. The results of the Attorney General’s sweep led to an additional investigation regarding Sephora’s privacy notice and opt-out processes, during which additional alleged CCPA compliance failures surfaced. Sephora was notified of these alleged violations, but purportedly failed to cure them within 30 days, leading to a broader investigation that ultimately resulted in the recently settled enforcement action. The 30-day cure period under the CCPA will be discretionary under the CPRA. Bonta has noted that “the kid gloves are coming off” with the CCPA’s right to cure period ending, and that “there are no more excuses” for noncompliance.

Companies should also note that sharing information with internet advertising networks will likely be an area of priority for both the Attorney General and the CPPA under the CPRA. The third-party technology deployed by Sephora is currently utilized by millions of other websites that serve targeted advertising to visitors.

Numerous other states have enacted or are in the process of enacting comprehensive data privacy laws similar to the CCPA and CPRA. As of August 2022, Colorado, Connecticut, Utah, and Virginia have enacted comprehensive privacy legislation that will soon begin to be enforced.