California Attorney General Reaches $1.2 Million Settlement With Sephora as Part of His Office’s Continued Enforcement of the California Consumer Privacy Act

Patrick M. Hromisin, Austin G. Strine

The California Attorney General began exercising enforcement authority under the CCPA on January 1, 2020. Among the CCPA’s enumerated rights for consumers, the cornerstone of the CCPA, is the right to opt out of the collection of personal information. In Sephora’s case, the Attorney General discovered that Sephora had installed on its website tracking devices supplied by third parties that monitored consumer’s shopping behavior. These devices collected data that included, but was not limited to, “whether a consumer is using a MacBook or a Dell, the brand of eyeliner that a consumer puts in their ‘shopping cart,’ and even the precise location of the consumer.” The stockpiled data also included purchasing practices that may lead to the conclusion that a woman is pregnant or entering menopause.

What You Need to Know:

  • If a company subject to the CCPA collects consumer data through a website, it must configure the site to detect and honor global privacy control signals (such as users’ browser settings) or opt-out requests.
  • Companies must be cautious when exchanging consumer data to third parties, including “advertising networks, business partners, [and] data analytics providers,” for services as the transaction may constitute a “sale” of personal information under the CCPA, triggering heightened compliance obligations. 
  • If a company sells consumer information, as defined by the CCPA, it must inform the consumer of that fact and provide them with an opportunity to opt out of that sale. 
  • The California Attorney General appears to be taking an aggressive approach to enforcing the CCPA, particularly relating to failures to implement and process global privacy control opt-out protocols. 

Under the CCPA, a consumer has the right to opt out of the collection and sale of this personal data by exercising a Global Privacy Control or simply clicking on a “Do Not Sell My Personal Information” link. Sephora’s website, however, failed to include these measures. The Attorney General became aware of Sephora’s shortfalls as part of an “enforcement sweep” of online retailers. The Attorney General’s office notified Sephora of its potential CCPA liability and provided it with 30 days to cure its noncompliance. According to the Attorney General, Sephora did not cure any of the alleged CCPA violations, and the Attorney General initiated an investigation and concluded that Sephora was “selling” consumer data as defined by the CCPA. Moreover, it discovered that Sephora’s website was not configured to “detect or process any global privacy control signals,” which would exclude consumers who informed the company through a global opt-out signal not to sell their data. Based on these suspected violations, the Attorney General initiated enforcement proceedings against Sephora, leading to a $ 1.2 million settlement with the company. 

The Attorney General’s approach to Sephora reinforces the CCPA foundation that if a company sells consumer data as defined by the CCPA, then it must inform the consumer that 1) it is collecting and selling their data; and 2) they have the right to opt out of the sale of their information. Sephora did neither. It is evident that the Attorney General is taking an aggressive stance on enforcing the CCPA. Indeed, after announcing the settlement with Sephora, the Attorney General sent notices to a number of businesses alleging CCPA non-compliance relating to the business’s failure to provide opt-out requests in general and process opt-out requests made via Global Privacy Controls. In light of these steps by California authorities, companies subject to the CCPA must do their due diligence and review their vendor contracts and practices involving user-tracking data to determine if consumer data is being collected, exchanged, or sold, and if so should take steps to comply with their CCPA obligations.  

Saul Ewing’s Cybersecurity and Data Privacy practice group can help companies determine whether they fall within the scope of the CCPA or other privacy frameworks and can help them achieve compliance with their requirements. 

Austin Strine
Related Professional
Austin Strine
Related Services