On August 24, 2022, the California Attorney General (AG) announced the entry of a final judgment to resolve claims that makeup retailer Sephora violated the California Consumer Privacy Act (CCPA). Notably, this is the California AG's first enforcement action resulting in a fine and settlement under the CCPA. The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling the personal information of California consumers through the use of third-party website advertising and analytics tools, failing to provide a "Do Not Sell My Personal Information" link for consumers to opt out of those sales, and failing to honor Global Privacy Control (GPC) signals as a means of opting out. As part of the relief, Sephora was ordered to pay a $1.2 million penalty and, among other things, implement a monitoring and reporting program to demonstrate its ongoing compliance with the CCPA.
The Complaint
The complaint alleged violations of both the CCPA and California's Unfair Competition Law. As for the CCPA violations, the California AG asserted that Sephora sold its customers' personal information when it installed third-party trackers on its website, including cookies, pixels, software development kits, and other technologies that automatically sent data about consumers' online behavior to third-party companies. The complaint further alleged that, because Sephora provided access to customer personal information to these companies in exchange for advertising benefits and free or discounted analytics, this activity constituted an "exchange of personal information for anything of value" that met the definition of "sale" under the CCPA. The complaint also noted that Sephora did not have contracts with all of these companies to position them as service providers.
The California AG claimed that Sephora did not meet its regulatory obligations as a seller of California consumers' personal information. Specifically, the complaint alleged that Sephora did not notify consumers of all of the categories of personal information it had sold or shared in the last 12 months. Instead, Sephora's California-specific disclosures allegedly said that the company did not sell personal information. Also, the complaint alleged that Sephora did not post a "Do Not Sell My Personal Information" link to allow customers to opt out of these sales, and it did not honor consumer opt-out requests made through a GPC signal. The complaint alleged that the California AG notified Sephora of these violations on June 25, 2021, but the company had not cured the violations as of July 26, 2021. As a result, the California AG brought the complaint after an investigation and Sephora's failure to cure its violations within 30 days.
The California AG also claimed that Sephora violated California's Unfair Competition Law by making false or misleading statements about the sale of customers' personal information and unfairly denying customers the ability to opt out of this sale.
The Settlement
In addition to requiring Sephora to disclose to customers that the company sells their personal information when it uses online tracking technology and provide an opt-out link, there are several notable requirements in the settlement:
Key Takeaways
To mitigate the risk of a California AG CCPA enforcement action, businesses should consider the following takeaways:
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and respond to state AG and other regulatory investigations. For more information, please contact Eddie Holman, Tracy Shapiro, Roger Li, or another member of the firm's privacy and cybersecurity practice.