On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora, Inc. that included a fine of $1.2 million for alleged violations of the California Consumer Privacy Act (CCPA). The settlement is likely the first of many enforcement actions stemming from the Attorney General’s enforcement sweep against online retailers and other businesses for potential violations of the CCPA, which began in June 2021. While other investigations have focused on the failure to disclose financial incentives for loyalty programs, privacy disclosures that are not understandable to the average consumer and do not include required information, and “Do Not Sell My Personal Information” links that only worked on some internet browsers, the enforcement action against Sephora is especially important to many website operators because it hinged on the allegation that Sephora failed to disclose the sale of personal information or provide a “Do Not Sell My Personal Information” link as a result of the use of analytics and advertising cookies on its website.
The Attorney General’s complaint alleges that Sephora’s website collects personal information (as defined in the CCPA) such as the products that consumers view and purchase, geolocation data, cookies and other unique identifiers, and information about the consumers’ operating systems and browsing types. It further alleges that Sephora makes this personal information available to third parties to receive advertising and analytics services through the installation or use of trackers such as cookies, clear-gifs, and other technologies which automatically transmit the personal information.
The complaint states that while Sephora’s privacy notice accurately disclosed the fact that it shared geolocation and other electronic network information with third parties such as advertising networks, business partners, and data analytics providers, such a disclosure in exchange for services from those entities constituted a “sale” under the CCPA. The CCPA defines a “sale” of personal information to include a disclosure for monetary or other valuable consideration. The complaint alleges that Sephora’s use and transmittal of the personal information was a “sale” under the CCPA because the disclosure was made in exchange for free, discounted, or higher quality advertising or analytics services from its third-party vendors.
Having concluded that Sephora did engage in a “sale” of personal information as defined in the CCPA, the complaint further alleges that Sephora failed to disclose this sale in its privacy notice and instead claimed that it did not sell personal information. Furthermore, the complaint alleges that Sephora failed to offer a “Do Not Sell My Personal Information” link or comply with an opt-out browser signal (in particular the Global Privacy Signal or GPC). While the complaint claims that the Attorney General notified Sephora on June 25, 2021 of the potential violations, Sephora failed to cure the deficiencies on the website in the 30-day cure period required under the CCPA. As a result of Sephora’s alleged failure to cure the deficiencies, the Attorney General’s complaint alleged violations of not only the CCPA but also California’s unfair and deceptive practices statute, California Business and Professions Code § 17200, et seq., for allegedly unfairly depriving consumers of their right to opt-out of the sale of personal information.
Under the settlement, Sephora is required to pay (to the Consumer Privacy Fund) a fine of $1.2 million. In addition, Sephora must:
The settlement is important because it makes clear that the use of analytics, advertising cookies, and other automatic data collection technologies are a “sale” under the CCPA and will be considered a “sale” or “sharing” under the upcoming CPRA. The settlement also makes it clear that, although the GPC is not widely adopted and there may be other signals sent by browsers in the future, the Attorney General considers it mandatory to comply with the GPC if it is sent.
The enforcement action and settlement should also put to rest any belief that the Attorney General would be less than robust in its enforcement of the CCPA, and instead indicates that the Attorney General has been and continues to actively enforce the CCPA. The inclusion of claims that Sephora violated California Business and Professions Code § 17200, et seq., also suggests that the Attorney General is willing to allege all potential causes of action above and beyond the CCPA itself in order to enforce compliance.
In light of this settlement and other enforcement actions disclosed by the Attorney General, businesses that are subject to the CCPA (and the upcoming CPRA) should immediately review their CCPA compliance to minimize being a potential target of further enforcement actions, including:
Businesses should also be on the lookout for notices from the California Attorney General alleging violations of the CCPA. The Attorney General’s announcement stated that he sent out notices to other businesses alleging non-compliance with opt-out requests made by global privacy controls. Under the CCPA, businesses have 30 days to cure such violations. The Sephora settlement suggests businesses that receive such notices should take immediate action to cure any alleged deficiencies and that the Attorney General is willing to bring enforcement actions against businesses who fail to take action to comply.
Businesses should also be aware of changes to their processing of personal information required under the California Privacy Rights Act, which goes into effect January 1, 2023. This may include complying with requests by consumers to exercise their additional privacy rights, such as the right to limit the use of sensitive personal information or the right to correct their personal information. Businesses should also be reminded that the employment information and business-to-business information exceptions will expire on January 1, 2023 unless one of the several pending bills are passed by August 31, 2022 – which appears unlikely. If those provisions expire, the full scope of the CPRA will be applicable to both employer and business-to-business information. For more information about additional requirements under CPRA, please see our discussion of this upcoming law at California Voters Pass the California Privacy Rights Act.
Finally, with greater enforcement by the Attorney General and the coming implementation of CPRA in January 2023, there is a greater risk of civil litigation being filed against businesses if they fail to comply with both the CCPA and CPRA. Thus, a diligent review of business practices regarding privacy notices, privacy policies, and the use of consumer information is critical to limit any potential exposure under the CCPA, CPRA, or the Business and Professions Code 17200, et seq.
For more information about complying with the CCPA or the upcoming CPRA, please contact either of the authors or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy team.