On August 24, 2022, California Attorney General announced a settlement with multinational online retailer, Sephora, Inc. (Sephora), resolving allegations that the company violated the California Consumer Privacy Act (CCPA). This is the first settlement of a CCPA enforcement action.
After conducting an enforcement sweep of online retailers, the Attorney General alleged that Sephora failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the 30-day period currently allowed by the CCPA.
Many online retailers allow third-party companies to install tracking software on their website and in their app so that third parties can monitor consumers as they shop. These third parties track all types of data – in Sephora’s case, the third parties could create profiles about consumers by tracking whether a consumer is using a MacBook or a Dell, the brand of eyeliner or the prenatal vitamins that a consumer puts in their “shopping cart,” and even a consumer's precise location.
Sephora's arrangement with these companies constituted a sale of consumer information under the CCPA, and it triggered certain basic obligations, such as telling consumers that they are selling their information and allowing consumers to opt-out of the sale of their information. Sephora did neither.
This settlement requires Sephora to pay $1.2 million in penalties and comply with important injunctive terms. Specifically, Sephora must:
- Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control (GPC);
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor GPC.
A GPC allows consumers to opt out of all online sales in one fell swoop by broadcasting a "do not sell" signal across every website they visit, without having to click on an opt-out link each time. Under the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link.
This settlement indicates that sharing personal information with third parties for targeted advertising or analytics purposes constitutes a sale under the CCPA, for which consumers must be offered an opportunity to opt out. It also sends a strong message that the Attorney General is serious about enforcing GPC compliance.