On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora, one of the largest cosmetic retailers in the world, to resolve allegations that the company illegally sold consumer data and violated the California Consumer Privacy Act (“CCPA”).1 The settlement was a result of an enforcement sweep the state conducted on online retailers in 2021 and is the first public CCPA-enforcement action since the law went into effect in January 2020.
The complaint, filed in San Francisco Superior Court, alleges that Sephora violated the CCPA and California’s unfair competition law by failing to disclose to consumers that it was selling their personal information by making this information available to online third-party trackers in exchange for certain benefits, such as targeted advertising and discounted analytics.1 Sephora also failed to process opt-out requests made via user-enabled privacy controls like the Global Privacy Control (“GPC”).2 The GPC is a powerful tool developed by a broad coalition of stakeholders, including tech companies, web publishers, browser and extension developers, academics, and civil rights groups, in response to the CCPA.3 It allows consumers to opt-out of all online sales of their personal information in one fell swoop by using a browser or software extension available on certain internet browsers to broadcast a “Do Not Sell My Personal Information” signal across every website they visit, without having to click on an opt-out link each time. Under the CCPA regulations, the businesses must treat these GPC-originated requests the same as users who express their consent choices through the company-specific opt-out mechanism,4 and the government has specifically identified the GPC as a valid opt-out method.5 If the GPC signal conflicts with the consumer’s existing privacy settings with a business, businesses must honor the GPC signal, but may notify consumers of the conflicting settings and give the consumer an opportunity to confirm their privacy settings.6
Furthermore, Sephora did not cure these violations within 30 days after they were notified of them. Under the CCPA, businesses were given the opportunity to cure any violations within 30 days after being notified of alleged noncompliance;7 however, as the California Privacy Rights Act (“CPRA”) will soon go into effect, this notice and cure provision will expire on January 1, 2023. Sephora was first notified on June 25, 2021 that it could be in violation of the CCPA.8 After Sephora failed to take any steps to cure the violations within one month, the government entered into a tolling agreement with Sephora, which remained effective through the filing of the government’s complaint in August 2022.9
In addition to the settlement with Sephora, AG Bonta announced that the California Department of Justice is launching a new investigative sweep of businesses failing to process opt-out requests via a user-enabled global privacy control — such as a browser setting or extension that automatically signals the user’s privacy preferences like the GPC.11 He also noted that the “kid gloves are coming off,” as the CCPA’s notice and cure provision, which gives companies the right to cure any violations within 30 days after they are notified by the government of the violation, is expiring at the end of 2022.12
What This Means for You
Respond if You are Notified of Potential Violations: A key takeaway is that Sephora could have avoided the enforcement action entirely if it simply took steps to cure the violations when it was first notified by the government in the summer of 2021. As businesses should expect more enforcement actions on the horizon as the government launches more investigative sweeps, it is critical that you respond within 30 days if you are notified of any potential violations. You should consult with experienced outside counsel to quickly determine the best course of action in investigating potential violations, curing any deficiencies in your CCPA compliance program, and providing an adequate response to regulators.
Get Your CCPA Compliance Program Right Before 2023: The CCPA’s notice and cure provision expires on January 1, 2023, and there is no indication that the government intends to extend businesses’ right to cure — meaning businesses that collect, sell, or share personal information from California residents now have less than four months to ensure that they are consistently complying with the CCPA. Experienced outside counsel can provide valuable advice on how to strengthen your CCPA compliance program before this period ends.
Definition of “Sale” of Personal Information: The Sephora settlement makes clear that any arrangement where companies are making consumer personal information available to third parties in return for a benefit is considered a “sale” under the law, triggering obligations under the CCPA such as telling consumers that it is selling their personal information and allowing consumers to opt-out of those sales. For example, if your business installs third-party companies’ tracking software in return for benefits like analytics information or opportunities to purchase targeted advertisements, you must comply with the CCPA.
Honor GPC Opt-Out Preference Signals: Complying with the CCPA includes honoring consumer’s opt-out preferences, which now goes beyond a “Do Not Sell” link on your website. With the evolving nature of the CCPA regulations and new consumer tools over the past several years, it is crucial that businesses remain up to date on their obligations. Even if you did not receive a written notice during the California AG’s most recent enforcement sweep, if you are unsure whether your business’ website honors GPC opt-out signals, you should immediately confirm and/or implement this for your business.
1Press Release, California Dep’t of Justice Office of the Attorney General, Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act, Aug. 24, 2022, available at https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.
2Complaint, People of the State of California v. Sephora USA, Inc. (San Francisco Sup. Ct.), Aug. 23, 2022, available at https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf.
4Global Privacy Control, Frequently Asked Questions, available at https://globalprivacycontrol.org/faq.
5Cal Code Regs. tit. 11 § 7026(c).
6California Dep’t of Justice Office of the Attorney General, California Consumer Privacy Act (CCPA) Frequently Asked Questions, available at https://oag.ca.gov/privacy/ccpa.
7Cal Code Regs. tit. 11 § 7026(c)(2).
8Cal. Civ. Code § 1798.155.
9Complaint, supra note 2, at 6.
11Press Release, supra note 1.
13California Department of Justice, Attorney General Bonta Announces First Public Enforcement Action Under CCPA, YouTube, Aug. 24, 2022, https://www.youtube.com/watch?v=mT8jT8LW8XE.