Sephora Hit with $1.2M Fine in First CCPA Enforcement

On August 24, California Attorney General Rob Bonta announced a $1.2 million action against the personal care and beauty product giant, Sephora.

“Today’s settlement with Sephora makes it clear, we will not hesitate to enforce the law. It’s time for companies to get the memo, protect consumer data, honor their privacy rights.” Bonta said in an online press conference addressing the Sephora CCPA fine. “The kid gloves are coming off. My office will not hesitate to protect consumers.”

The enforcement action stems from Sephora’s failure to disclose information about the sale of personal information, the lack of a “Do Not Sell My Personal Information” button, and not honoring Global Privacy Control (GPC) signals. Sephora was provided with the 30-day right to cure notice under the CCPA and did not remedy the issues thus leading to the enforcement action.

The AG also published updated enforcement examples that can be found here. The Sephora enforcement is included as are others that were notified of a violation and took the necessary steps to remedy the issue in the 30-day right-to-cure timeframe.

Here are some of the key takeaways from the Sephora CCPA fine that your organization needs to be aware of to help ensure CCPA compliance:

• The debate in the privacy world surrounding the requirement to honor GPC signals has been answered by the AG. With this enforcement action, it is clear that businesses must honor GPC signals from consumers and should ensure their websites are capable of receiving and honoring such requests. Additional information can be found here and here. There is some work on the consumer side as well. In order to send a GPC signal, consumers must use a supported browser or extension and activate the signal. These can be found here. Also, there are several cookie preference center solutions on the market that can honor the GPC signal.

• In the final judgement, the AG details that in June of 2021, an enforcement sweep of large retailers kicked off in order to understand and determine whether the retailer continued to sell personal information when a consumer signaled an opt-out via a GPC signal. This was accomplished through using commercially available browser plug-ins. Traditionally, complaints drive enforcement. The loyalty program sweep of 2022 hinted at an actively enforcement arm and this enforcement confirms that the AG’s office is actively searching for violators of the CCPA. Business ears should perk up. The website is the window to the privacy health of the business, make sure it’s ready for AG or consumer review.

• It is not uncommon for a business to take the stance that they do no sell personal information “in the traditional sense”, like a data broker as an example, and then refer consumers to one or all of the industry preference centers like YourAdChoices. While these services can provide consumers with additional choice, they do not meet the CCPA requirements. We recommend revisiting all AdTech on the website and understanding if the use of any of the providers would be a “sale” under the CCPA. If so, we recommend updating the privacy policy with the required disclosures, implementing a “Do Not Sell My Personal Information” link, and ensuring GPC signals are received and honored.

• The 30-day right to cure notice expires on January 1, 2023, for any violation other than breach under the CCPA and the California Privacy Protection Agency takes the enforcement reins on July 1, 2023. Businesses have been provided with time to comply and even a 30-day warning, that will end soon.

If you have any questions about this enforcement or about how to implement any of the required privacy mechanisms mentioned in this article, please reach out to connect@compliancepoint.com.