California Attorney General is Watching and Will Hold You Accountable – CCPA Enforcement Actions Pick Up with Sephora Settlement

“My office is watching, and we will hold you accountable…there are no more excuses,” California Attorney General Rob Banta warns businesses in the press release announcing his office’s settlement with Sephora, resolving allegations that Sephora violated the California Consumer Privacy Act (“CCPA”) by selling consumers’ personal information without telling them and failing to honor opt-outs made via user-enabled global privacy controls. Announced on August 24, 2022, the settlement requires Sephora to pay $1.2 million in penalties and comply with important injunctive terms, including the submission of annual reports to the California Attorney General. Not only did Attorney General Banta announce the Sephora settlement, but he also announced that his office sent more than 100 notices to other businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled privacy controls, like the Global Privacy Control (the “GPC”).

The Sephora settlement resulted from the Office of the Attorney General’s enforcement sweep of online retailers. In its sweep, the Attorney General claims to have found evidence to support allegations that Sephora failed to disclose to consumers that it was “selling” their personal information, failed to process user requests to opt out of sale via user-enabled global privacy controls, and that it did not cure these violations within the 30-day period allowed by the CCPA. Currently, the CCPA contains a 30-day notice and cure period that requires businesses to receive notice and opportunity to cure before they can be held accountable by the Attorney General for CCPA violations. However, this notice and cure period will expire on January 1, 2023, when the California Privacy Rights Act (“CPRA”) takes effect.

In addition to paying the $1.2 million in penalties, the settlement, which is pending approval from a state judge, requires Sephora to:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the GPC;
  • Conform its service provider agreements to the CCPA’s requirements;
  • Implement and maintain a program to assess and monitor whether it is effectively processing consumer requests to opt out of the sale of their personal information, including requests submitted via the GPC;
  • Conduct an annual regular review of its website and mobile applications to determine the entities with which it makes personal information available, including service providers;
  • Provide detailed annual reports to the California Attorney General relating to its assessment of the sale of personal information, the review of its status of its service provider relationships, and its efforts to honor GPC; and
  • Comply with the CCPA and CPRA.

While Sephora did not admit liability, the Sephora settlement serves as a warning and guidepost for businesses subject to the CCPA, especially those that exchange personal information of California residents with third parties that comes within the broad definition of a “sale” under the CCPA, which includes any communication of personal information to a third party for monetary or other valuable consideration. Information sellers need to be sure that they provide, and appropriately respond to, methods that allow consumers to opt out of the sale of their personal information, including a user-enabled global privacy control, such as the GPC. A global privacy control allows consumers to opt out of all online sales in one fell swoop via a browser-plugin or privacy setting, device setting, or other mechanism that broadcasts a “do not sell” signal across every website they visit. Under the CCPA regulations, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked a business’s “Do Not Sell My Personal Information” link or utilized another opt-out method a business provides.

Attorney General Banta remarked that “I hope [the Sephora] settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law” and urged businesses to “follow the law, do right by consumers.” If you need assistance with your CCPA compliance efforts or want more information on compliance with the CCPA, please contact one of our Cybersecurity & Data Privacy attorneys.