On August 24, 2022, California Attorney General Rob Bonta announced the first public settlement for violations of the California Consumer Privacy Act (“CCPA”) – a $1.2 million settlement with beauty retailer Sephora to resolve allegations that Sephora had violated multiple CCPA requirements. The California Attorney General’s complaint against Sephora alleged that the retailer wrongly informed website visitors that it did not sell personal information and failed to provide an easily accessible “Do Not Sell My Personal Information” link on its website or in its mobile app.

Sephora Failed to Disclose It was Selling Customer Data

Sales of personal data under the CCPA are not limited to transfers of data in exchange for monetary payment. The CCPA broadly defines the sale of personal data as the exchange of personal information for anything of value. In Sephora’s case, consumers’ geolocation data and internet activity information was shared with Sephora’s third-party service providers, including advertising networks, business partners, and data analytics providers, in exchange for services.

In one exchange, Sephora installed an analytics and advertising software package on its website that allowed the analytics provider to gather information about an online shopper’s activities. The provider was then able to deliver browsing data to Sephora, such as the number of visitors viewing a particular product, as well as create profiles of individual website visitors for Sephora’s use in serving targeted advertisements to that consumer. Both of these exchanges satisfied the definition of sale under CCPA and were required to have been disclosed to consumers, but were not discussed in Sephora’s privacy policy or any other website or app notices.

Sephora Failed to Honor All Consumer Opt Outs

The CCPA requires businesses to allow consumers to opt out of the sale of their information through the use of Global Privacy Control (“GPC”) as well as by submitting a request directly to the business. The GPC is essentially a “stop selling my data switch” that is available on some browsers and broadly signals the consumer’s opt-out request to each website visited using that browser. In its investigation, the California AG found that activating the GPC had no effect on Sephora’s website and that consumer data continued to flow to the website and third party service providers.

Sephora also failed to post the “Do Not Sell My Personal Information” link on its website or in its mobile app. CCPA requires that the link be posted and easily accessible on the website, even if the business also allows consumers to opt out through other methods such as phone or email. Further, if consumers were able to opt out of Sephora’s sale of their data despite the lack of an opt out link and an ineffective GPC mechanism, Sephora continued to sell the personal data of these consumers to its business partners.

Enforcement

On June 25, 2021, the California AG informed Sephora of its potential violations and provided a 30-day cure period in accordance with CCPA requirements before Sephora would face legal liability. The violations could be cured by updating the privacy policy to inform consumers that Sephora sells personal data to third parties and that consumers have a right to opt out of such sale, posting a  “Do Not Sell My Personal Information” link on its website, and processing consumer opt-outs via the GPC. Sephora did not cure any of its violations during the 30-day period. The terms of the August 24 settlement will require Sephora to pay $1.2 million in penalties and comply with injunctive terms, including affirmatively stating in its online disclosures that it sells data, providing consumers with opt-out mechanisms, confirming its service provider contracts meet CCPA requirements, and providing reports on these compliance actions to the California AG.

In connection with the Sephora settlement, the California AG announced that it will investigate several other unnamed companies to determine if GPC signals are being honored. While CCPA requires business to honor GPC signals, many companies have ignored this requirement and processed only individual opt-out requests submitted by consumers. The additional businesses under investigation will also have 30 days to cure any violations before potentially facing millions of dollars in liability. However, the notice and cure approach to enforcement will expire at the end of 2022 and future violations of CCPA (as amended and renamed the California Privacy Rights Act) will be enforced more harshly, with the California AG stating that the Sephora settlement should send a “strong message” to businesses that are still in violation of CCPA more than two years after the law went into effect.

The California AG also provided several new examples of notices to cure CCPA violations that can be used as a reference for businesses seeking to ensure their CCPA compliance. In one enforcement sweep, the California AG found that a business operating a fitness center chain offered an opt-out form in connection with the “Do Not Sell My Personal Information” link requirements that was too confusing in its use of unclear language and toggle options for the various opt-out rights. In another enforcement, a clothing retailer’s opt-out link only allowed consumers to manage their cookie preferences and did not include a method for opting out of the sale of their data.

For more information on how you can ensure your business is in compliance with CCPA requirements, please contact a specialist in Koley Jessen’s Data Privacy and Security Practice Area.

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}