On August 24, 2022, the California Attorney General released a statement regarding a settlement agreement that the State of California reached with Sephora, Inc. (“Sephora”), the international consumer product retailer specializing in personal care and beauty products, for failing to comply with the California Consumer Privacy Act (“CCPA”). The California Attorney General’s Office alleged that Sephora did not notify consumers that the company was selling personal information and did not honor consumer requests to opt-out of those sales.
It is worth noting that a “sale” under the CCPA is broadly defined – a CCPA “sale” covers obvious like an exchange of data containing personal information for monetary sums, but also includes arrangements where the data provider receives benefit from allowing a third-party access to data containing personal information. Even receiving a benefit that has unclear monetary value can trigger requirements under the CCPA. As was alleged against Sephora, the California Attorney General determined that a “sale” occurred when Sephora gained “a benefit from a third-party vendor who built customer profiles by analyzing the personal information and behavior of online shoppers.
As part of the settlement, Sephora will pay $1.2 million in penalties and agreed to revise their user agreements to comply with CCPA requirements, including implementation of opt-out mechanisms. Sephora will also provide updates to the California Attorney General’s Office on progress toward corrective measures, implying ongoing oversight by the state office. The action against Sephora serves to illustrate how data privacy laws should be considered when executing on business strategy.
Despite being the first of its kind, California’s action against Sephora may not be the last. The California Attorney General’s Office disclosed that notices of non-compliance were issued to businesses across a wide range of industries, including tech, healthcare, retail, fitness, data brokerage and telecom.
Further highlighting the importance of compliance with data privacy laws is the number of new legislations coming into effect in 2023. The CCPA is soon to be supplemented by the California Privacy Rights Act (“CPRA”) which expands data privacy rights of California residents. New state laws in Colorado, Connecticut, Utah, and Virginia also become effective in 2023, affording residents of respective states various data privacy rights and protection. Here is a short list of the upcoming data privacy laws and their effective dates.
As the close of 2022 approaches, companies should proactively plan to update their user agreements, including privacy policies, that acknowledge and define the user rights that will be effective soon. Overlooking how your business uses, shares, or discloses the personal information of consumers can leave you vulnerable to risk, including regulatory action and costly penalties. Companies should also analyze whether their mechanisms for exercising rights, if any, are appropriate and sufficient to accommodate expanded user rights.