On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc., resolving allegations that Sephora violated the California Consumer Privacy Act (“CCPA”). At the same time, the Attorney General released the complaint filed in California Superior Court detailing the allegations, as well as the final judgment stipulated by the parties and entered by the court (per the judgment, Sephora is accepting the penalties imposed without admitting to any liability).

The settlement is notable for several reasons. It marks the first time the Attorney General has exercised their authority under the CCPA to seek a court order imposing civil monetary penalties and other relief for alleged violations. The timing is significant because the California Privacy Rights Act (“CPRA”), which consists of several significant amendments to the CCPA, is scheduled to take effect on January 1, 2023. The settlement also offers some important takeaways, and a warning, for companies who are still developing, or updating, their compliance programs in preparation for the CPRA.

There is a lot more to Sephora’s settlement than the $1.2 million fine.

The CCPA empowers a court to impose a monetary penalty of up to $2,500 per violation (or up to $7,500 per “intentional” violation). The Attorney General alleged that Sephora violated the CCPA every time a California resident visited its website on or after July 25, 2021 (the date the Attorney General delivered a notice of violation to Sephora), because Sephora did not disclose that it was “selling” visitors’ personal information and did not offer visitors the ability to opt out of that “sale” (more on that below). As part of the settlement, the court entered a total penalty of $1.2 million against Sephora, and ordered it to comply with the CCPA’s requirements concerning “sales” of personal information.

While $1.2 million is a substantial penalty for most businesses, from Sephora’s perspective, it probably isn’t the most burdensome aspect of the settlement. The court also ordered Sephora to do the following within 180 days, and for a period of two years thereafter:

  • Implement and maintain a program to assess and monitor whether it is effectively processing consumer requests to opt-out of the sale of their personal information, and to annually provide a detailed, public report regarding the effectiveness of that program, errors or technical problems encountered in implementing the program, and steps taken by Sephora to fix those errors or problems; and
  • Conduct an annual regular review of its website and mobile applications to determine the entities to which it makes available personal information, and document and share the results of this review with the public, including the names of those entities, the purposes for making personal information available to them, and whether Sephora characterizes those entities as “service providers” as defined in the CCPA

As a result, not only must Sephora implement a comprehensive and detailed compliance program, it must do so with the Attorney General, and the public, looking over its shoulder for at least the next two years. As a practical matter, the annual review of websites and mobile applications, and the inventory and classification of entities accessing personal information through them, is just one of the things every regulated business should be doing now, if they haven’t already. The Attorney General is sending the message that businesses who haven’t done this already can be forced to do so later, at a much higher cost.

According to the Attorney General, if you’re using common analytics or advertising cookies on your website, you are “selling” the personal information of your website visitors to the providers of those cookies unless you have ensured that those providers are acting solely as your “service providers.”

The CCPA requires every business to disclose, in its privacy policy, whether it “sells” the personal information of California residents, and to describe the categories of personal information sold over the preceding 12 months. Businesses that “sell” personal information must allow consumers to opt-out of those sales via a prominent, “Do Not Sell My Personal Information” button or link, and by other means the CCPA deems necessary.

The CCPA defines “sale” broadly. It includes: “[M]aking available . . . a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.” Since the CCPA’s enactment in 2018, some businesses have taken the position that the use of common analytics or advertising cookies and other trackers, such as Facebook Pixel and Google Analytics, does not constitute a sale of visitors’ IP address, browsing activity or other personal information to Facebook, Google or other providers of those trackers. After the Sephora settlement, it’s now more clear than ever that the Attorney General strongly disagrees with this position and is willing to enforce a maximalist view of the CCPA’s “sale” requirements.

The Attorney General alleged that Sephora, in addition to collecting personal information for itself through its website, “also makes consumers’ personal information available to third-party companies for the purpose of obtaining advertising and analytics . . . Sephora made this data available to these companies by installing (or allowing the installation of) third-party trackers in the form of cookies, pixels, software development kits, and other technologies, which automatically send data about consumers’ online behavior to the third-party companies.” In the Attorney General’s view, “Sephora’s decision to provide third parties including ‘advertising networks, business partners, [and] data analytics providers’ with access to its customers’ data in exchange for services from those entities was a sale of personal information as defined in the CCPA.”

The complaint details an example of an alleged “sale” that is very relevant to every business using the ubiquitous Google Analytics tools and related services:

“Sephora installed one widely-used analytics and advertising software package that let the analytics provider gather and keep personal information about an online shopper’s activities. The analytics provider then gave Sephora data about what shoppers did on its website or in its app, like how many people looked at a particular product. The analytics provider also would determine who the shopper was, using extensive data gathered from other sources, and then present Sephora with the valuable option to serve targeted advertisements to the same shopper on the analytics provider’s advertising network. Both the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA.”

Furthermore, “Sephora knew that these third parties would collect personal information when Sephora installed or allowed the installation of the relevant code on its website or in its app. Sephora also knew that it would receive discounted or higher-quality analytics and other services derived from the data about consumers’ online activities, including the option to target advertisements to customers that had merely browsed for products online.” And, “Sephora did not have valid service-provider contracts in place with each third party, which is one exception to ‘sale’ under the CCPA. All of these transactions were sales under the law.”

The message from the Attorney General is clear: If you use third party analytics cookies on your site, you are selling the personal information of your site visitors to the provider of those cookies. It doesn’t matter if the analytics data you get back is “anonymized” or “aggregated.” You’ve already “sold” the visitors’ IP address, browsing data or other personal information associated with the cookie by allowing the cookie to be placed through your site.

Despite this widely-applicable message, the settlement leaves open some significant questions: Assuming the Attorney General was referring to Google Analytics or other Google services, did Sephora activate Google’s “restricted data processing” feature, which Google says qualifies them as a “service provider” under the CCPA? If it did, does the Attorney General believe that Google’s “restricted data processing” terms fail to meet the CCPA’s requirements for a “service provider” contract? Should regulated businesses stop relying on assurances from Google, Facebook, et al. in making their compliance decisions regarding cookies and other tracking technologies?

If you receive a notice of violation in 2023, it may not offer you an opportunity to cure and avoid further enforcement action.

The CPRA becomes enforceable on July 1, 2023, and only for violations occurring on or after July 1, 2023. Until then, the current CCPA, which was applied in the Sephora settlement, remains enforceable.

Currently, the CCPA requires the Attorney General to give an alleged violator 30 days to cure an alleged violation. According to the Attorney General, Sephora failed to take advantage of that opportunity, necessitating the public enforcement action.

The Attorney General’s press release concerning the Sephora settlement stresses that the right to cure is only temporary: “The CCPA’s notice and cure provision, which requires business to receive notice and opportunity to cure before they can be held accountable by the Attorney General for CCPA violations, will expire on January 1, 2023,” when the CPRA takes effect. When the California Privacy Protection Agency assumes primary enforcement duties on July 1, 2023, it will have the power to impose administrative fines, meaning it can fine violators without an order from the Superior Court.

The expiration of the right to cure violations, combined with the Agency’s new enforcement powers, means fines for some first-time offenders are a real possibility starting next year. With the Sephora settlement, the Attorney General is warning covered businesses, particular those who are consumer-facing e-commerce companies, that the CCPA’s era of second chances may be coming to an end.