Apply Foundation To Your Privacy Policy Before You Become The Next Sephora

DarrowEverett LLP
Contact

DarrowEverett LLP

On August 24, 2022, the California Attorney General released a statement regarding a settlement agreement that the State of California reached with Sephora, Inc. (“Sephora”), the international consumer product retailer specializing in personal care and beauty products, for failing to comply with the California Consumer Privacy Act (“CCPA”). The California Attorney General’s Office alleged that Sephora did not notify consumers that the company was selling personal information and did not honor consumer requests to opt-out of those sales.[1]

It is worth noting that a “sale” under the CCPA is broadly defined – a CCPA “sale” covers obvious like an exchange of data containing personal information for monetary sums, but also includes arrangements where the data provider receives benefit from allowing a third-party access to data containing personal information. Even receiving a benefit that has unclear monetary value can trigger requirements under the CCPA. As was alleged against Sephora, the California Attorney General determined that a “sale” occurred when Sephora gained “a benefit from a third-party vendor who built customer profiles by analyzing the personal information and behavior of online shoppers.

As part of the settlement, Sephora will pay $1.2 million in penalties and agreed to revise their user agreements to comply with CCPA requirements, including implementation of opt-out mechanisms. Sephora will also provide updates to the California Attorney General’s Office on progress toward corrective measures, implying ongoing oversight by the state office. The action against Sephora serves to illustrate how data privacy laws should be considered when executing on business strategy.

Despite being the first of its kind, California’s action against Sephora may not be the last. The California Attorney General’s Office disclosed that notices of non-compliance were issued to businesses across a wide range of industries, including tech, healthcare, retail, fitness, data brokerage and telecom.

Further highlighting the importance of compliance with data privacy laws is the number of new legislations coming into effect in 2023. The CCPA is soon to be supplemented by the California Privacy Rights Act (“CPRA”) which expands data privacy rights of California residents. New state laws in Colorado, Connecticut, Utah, and Virginia also become effective in 2023, affording residents of respective states various data privacy rights and protection. Here is a short list of the upcoming data privacy laws and their effective dates.

State Laws Effective Date
California California Consumer Privacy Rights Act Jan. 1, 2023
Virginia Consumer Data Protection Act Jan. 1, 2023
Colorado Colorado Privacy Act July 1, 2023
Connecticut Personal Data Privacy and Online Monitoring July 1, 2023
Utah Utah Consumer Privacy Act Dec. 31, 2023

As the close of 2022 approaches, companies should proactively plan to update their user agreements, including privacy policies, that acknowledge and define the user rights that will be effective soon. Overlooking how your business uses, shares, or discloses the personal information of consumers can leave you vulnerable to risk, including regulatory action and costly penalties. Companies should also analyze whether their mechanisms for exercising rights, if any, are appropriate and sufficient to accommodate expanded user rights.

——————————————————————————————–

https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DarrowEverett LLP | Attorney Advertising

Written by:

DarrowEverett LLP
Contact
more
less

DarrowEverett LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.