Settlement Terms

The settlement, which is pending court approval, requires Sephora to pay $1.2 million in penalties and resolves allegations that Sephora failed to disclose to consumers that it was selling their personal information (“PI”), failed to process user requests to opt out of sales via user-enabled global privacy controls in violation of the CCPA, and did not cure the alleged violations within the 30-day period currently allowed by the CCPA.

The settlement also imposes injunctive terms on the beauty brand regarding CCPA compliance. Specifically, Sephora must:

• Clarify its online disclosures and privacy policy to include an affirmative representation that it sells PI;
• Provide mechanisms for consumers to opt out of the sale of PI, including via the Global Privacy Control; and
• Conform its service provider agreements to the CCPA’s requirements.

Sephora also agreed to significant reporting requirements. Beginning within 180 days of the effective date of the settlement and for two years after, the multinational retailer must submit the following reports to the AG:

• Reports on GPC efforts that include:
  • A detailed overview of the testing Sephora has done to assess and monitor its processing of consumer requests to opt out of the sale of their PI submitted via user-enabled global privacy controls like the GPC.
  • An analysis of any errors or technical problems encountered by Sephora in processing consumer requests to opt out of the sale of their PI via user-enabled global privacy controls like the GPC, if any, and steps taken by Sephora to fix or remediate those errors or problems.
• Reports on website and app reviews that include:
  • The names of entities to which Sephora makes available PI, the PI Sephora makes available to these entities, Sephora’s purpose for making PI available to these entities, and whether Sephora characterizes these entities as service providers.
  • For entities that Sephora contends are service providers, Sephora must enter into contracts with them that meet CCPA service provider requirements and document this in the annual report.
  • For entities that are not service providers, Sephora must do any of the following, and document its efforts in the annual report:
    • Comply with requests to opt out of sales to such entities,
    • Enter into or amend its contract with the entity to render it a valid service provider, or
    • Cease making available PI to that entity.
  • For entities with which Sephora has a specific contractual agreement providing that the entity will act as a service provider when processing PI, but requiring Sephora to enable some type of restricted data processing, Sephora shall enable this restricted data processing for all consumers, including in its implementation of the GPC, or cease making PI available to the entity, and document this in the annual report.

The Lead-Up to Settlement

It seems Sephora came onto the AG’s radar during the AG’s June 2021 enforcement sweep, which assessed whether large retailers continued to sell PI when a consumer signaled an opt-out via the GPC. The complaint describes how the AG’s testing and investigation used commercially available browser extensions to monitor network traffic involving third-party advertising and analytics providers, and analyzed how that traffic changed when the GPC sent its “do not sell” signal.

In investigating Sephora’s website, the AG found that activating the GPC had no effect and that data continued to flow to third-party companies, including advertising and analytics providers. It also found that Sephora stated in its privacy policy that it did not sell PI, but separately included in the policy that it shared consumers’ geolocation data and “[i]nternet or other electronic network activity information” with third parties, including “advertising networks, business partners, data analytics providers,” and others. The AG found that Sephora “made this data available to these companies by installing (or allowing the installation of) third-party trackers in the form of cookies, pixels, software development kits, and other technologies, which automatically send data about consumers’ online behavior to the third-party companies.”

In Focus: The Global Privacy Control

The settlement emphasizes the importance of the GPC. The AG noted: “Today’s settlement is part of ongoing efforts by the Attorney General to enforce California’s comprehensive consumer privacy law that allows consumers to tell businesses to stop selling their personal information to third parties, including those signaled by the Global Privacy Control (GPC).” (Emphasis added). The press release further states that Attorney General Bonta sent notices on August 24 to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC.

A Failure to Cure  

Importantly, during the course of its investigation the AG reportedly gave Sephora an opportunity to cure CCPA violations, including regarding statements in its privacy notice and the lack of a “Do Not Sell My Personal Information” link. However, the retailer apparently failed to cure the alleged violations to the AG’s satisfaction.

The press release highlights that the CCPA’s notice and cure provision, which requires businesses to receive notice and an opportunity to cure before they can be held accountable by the AG for CCPA violations, will expire on January 1, 2023, when the California Privacy Rights Act (“CPRA”) amendments to the CCPA take effect.

Finally, the press release points to new examples of notices to enforcement actions that resulted in cures, available at oag.ca.gov/ccpa. These include:

1. An enforcement sweep of businesses operating loyalty programs that offered financial incentives such as discounts, free items, or other rewards, in exchange for PI without providing consumers with a notice of financial incentive;
2. An online advertising business whose privacy disclosures were not understandable to the average consumer and did not include the required information; and
3. A data broker whose “Do Not Sell My Personal Information” link worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests.

Key Takeaways for Your CCPA Compliance Strategy

As your organization gears up for compliance with the CPRA updates to the CCPA, now is the time to re-evaluate your privacy disclosures for accuracy, confirm your rights request processes are in place and up to date, and assess with your business teams whether your websites and mobile apps, especially those that contain third-party trackers or other adtech solutions, are configured to appropriately monitor for and honor user-enabled opt-out preference signals, such as the GPC.