California AG Announces Settlement with Sephora as Part of Ongoing Enforcement of CCPA

California’s Attorney General, Rob Bonta, announced the state has reached a settlement of $1.2 million with beauty retailer Sephora for breaching the California Consumer Privacy Act (CCPA) where the retailer sold people’s data without informing them.

After conducting an enforcement sweep of online retailers, AG Bonta found Sephora failed to process people’s requests to opt-out of the sale of information to third-party companies.

The attorney general notified Sephora on June 25, 2021 of its possible noncompliance, but Sephora did not make the necessary changes to its website within the 30-day cure period required by CCPA.

This settlement is part of ongoing efforts by the Attorney General to enforce California’s comprehensive consumer privacy law that allows consumers to tell businesses to stop selling their personal information to third parties.  While other states like Connecticut and Utah have implemented similar privacy laws, Bonta’s office has sent out more than 100 notices of CCPA non-compliance to other companies in tech, health care, retail, fitness, data brokerage and telecom industries.  These companies have 30 days to address the alleged violations or will otherwise face enforcement action from the Attorney General.

I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” Bonta said in a statement.  “My office is watching, and we will hold you accountable.

Although the company was found to have violated the CCPA, Sephora’s point of contention came from the definition of the term “sale”, stating the law does not define a “sale” in the traditional sense.  “‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads,” the company said.  “Sephora was not the target or victim of a data breach.

The CCPA defines “sale” broadly as the selling or transferring of a consumer’s personal information by a business to another business—or a third party in exchange for money or “other valuable consideration.”

Here is what organizations can learn from the settlement:

Treat GPC signals as opt-out of sale request
In June of 2021, California’s Attorney General Rob Bonta ordered a sweep of large retailers to see whether they continued to sell personal information, after people had signaled to opt-out via the Global Privacy Control (GPC).  The purpose of the GPC is to inform websites not to sell user data.

As a part of the investigation, the AG found data from Sephora’s website continued to flow to third-party companies, including advertising and analytics providers, when GPC had been activated—even when a California resident signaled to opt-out.

Sephora also allegedly failed to comply with several other CCPA obligations, such as failing to tell California residents it sold personal information to third parties—and that they have the right to opt-out of this sale.  According to Bonta, the company only noted it “shared” personal information and provided people with a link to see what information was shared.  On clicking that link, a Sephora message read “we do not sell personal information.

Sephora allegedly failed to post a “Do Not Sell My Personal Information” link on its website and in its mobile app, as well as provide another means of opting out.  The company also allegedly sold people’s personal information despite people opting out.

Broad Definitions won’t hold back regulators
While Sephora may have violated certain CCPA rules, the company countered by calling into question the use of the term “sale”.

The California law “does not define ‘sale’ in the traditional sense of the term,” Sephora stated.  “It is important to note that Sephora uses data strictly for Sephora experiences.

The CCPA’s broad definition of “sale” does not limit it to the selling of personal information by a business to another business or third party for monetary compensation, but also for discounted tools or services, such as analytics.

Sephora may have violated this by not having clear, valid service-provider contracts with third parties that state that data collected by the service provider is for the benefit of Sephora.

According to Bonta, Sephora “installed and used other widely available advertising and analytics services from companies where it had the same fundamental deal: Sephora allowed the third-party companies access to its customers’ online activities, in exchange for advertising or analytic services.

The AG alleged that the company knew that these third parties would collect personal information when Sephora installed or allowed the installation of the relevant code on its website or app.

As per the court document, the brand also knew that it would receive discounted or higher-quality analytics and other services derived from the data about people’s online activities, including the option to target ads to people that had merely browsed for products online.

The settlement currently needs the approval of a state judge; however, Sephora is not required to admit liability or wrongdoing.

More fines to come
Bonta’s office has sent out more than 100 notices of CCPA non-compliance to other companies in technology, health care, retail, fitness, data brokerage and telecom industries.