On August 24, 2022, the California Attorney General (AG) announced the entry of a final judgment to resolve claims that makeup retailer Sephora violated the California Consumer Privacy Act (CCPA). Notably, this is the California AG's first enforcement action resulting in a fine and settlement under the CCPA. The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling the personal information of California consumers through the use of third-party website advertising and analytics tools, failing to provide a "Do Not Sell My Personal Information" link for consumers to opt out of those sales, and failing to honor Global Privacy Control (GPC) signals as a means of opting out. As part of the relief, Sephora was ordered to pay a $1.2 million penalty and, among other things, implement a monitoring and reporting program to demonstrate its ongoing compliance with the CCPA.

The Complaint

The complaint alleged violations of both the CCPA and California's Unfair Competition Law. As for the CCPA violations, the California AG asserted that Sephora sold its customers' personal information when it installed third-party trackers on its website, including cookies, pixels, software development kits, and other technologies that automatically sent data about consumers' online behavior to third-party companies. The complaint further alleged that, because Sephora provided access to customer personal information to these companies in exchange for advertising benefits and free or discounted analytics, this activity constituted an "exchange of personal information for anything of value" that met the definition of "sale" under the CCPA. The complaint also noted that Sephora did not have contracts with all of these companies to position them as service providers.

The California AG claimed that Sephora did not meet its regulatory obligations as a seller of California consumers' personal information. Specifically, the complaint alleged that Sephora did not notify consumers of all of the categories of personal information it had sold or shared in the last 12 months. Instead, Sephora's California-specific disclosures allegedly said that the company did not sell personal information. Also, the complaint alleged that Sephora did not post a "Do Not Sell My Personal Information" link to allow customers to opt out of these sales, and it did not honor consumer opt-out requests made through a GPC signal. The complaint alleged that the California AG notified Sephora of these violations on June 25, 2021, but the company had not cured the violations as of July 26, 2021. As a result, the California AG brought the complaint after an investigation and Sephora's failure to cure its violations within 30 days.

The California AG also claimed that Sephora violated California's Unfair Competition Law by making false or misleading statements about the sale of customers' personal information and unfairly denying customers the ability to opt out of this sale.

The Settlement

In addition to requiring Sephora to disclose to customers that the company sells their personal information when it uses online tracking technology and provide an opt-out link, there are several notable requirements in the settlement:

• A $1.2 million penalty: The judgment orders Sephora to pay the California AG a penalty of $1.2 million, which must be deposited in the California Consumer Privacy Fund created by the CCPA. Interestingly, the California AG treated each time Sephora did not honor a GPC signal, or a customer visited Sephora's website after the 30-day cure period, as a separate violation of the CCPA.
• A requirement to honor GPC signals: There was some initial contentiousness over the requirement in the CCPA Regulations to honor GPC signals as a valid CCPA opt-out request, as commenters have argued that the requirement lacks statutory authority and is overly vague. Nevertheless, the California AG, through this settlement, has reaffirmed his commitment to this requirement by partially basing his first-ever CCPA enforcement action on Sephora's refusal to honor GPC signals.
• Required compliance program: For two years, Sephora must implement and maintain a compliance program that assesses how it makes personal information available to third parties and responds to customers' opt-out requests. As part of this program, Sephora must monitor the third parties to whom it makes personal information available and enter into contracts with them as service providers if these third parties are considered as such.
• Required compliance reports: Along with its compliance program, Sephora must submit annual reports to the California AG that describe its efforts to honor GPC signals and any errors or technical problems that Sephora faces in these efforts. These reports must also list the third parties to whom Sephora makes personal information available, and any efforts to engage them as service providers or otherwise.

Key Takeaways

To mitigate the risk of a California AG CCPA enforcement action, businesses should consider the following takeaways:

• Honoring GPC signals: In this settlement, the California AG made clear that his position is that businesses that "sell" personal information under the CCPA must honor GPC signals as valid opt-outs. Businesses unwilling to challenge the legal basis for this requirement through litigation should have a system in place that recognizes and processes these signals as valid "Do Not Sell" requests.
• Carefully evaluate contractual provisions when making personal information available to analytics and advertising providers: Businesses making personal information available to analytics and advertising providers should closely evaluate whether making that information available constitutes a sale under the CCPA. The settlement with Sephora demonstrates that the California AG will consider a business providing access to customers' personal information in exchange for free or discounted analytics and advertising benefits to be a "sale" absent a valid service provider contract. Businesses that "sell" personal information to analytics and advertising providers in this manner should follow the associated CCPA opt-out requirements.
• If disclosing personal information to service providers, ensure required contractual terms are in place: The CCPA provides an exception for its definition of sale if the business has a valid service provider contract with the receiving party. Businesses disclosing personal information to vendors acting as service providers should ensure that they have contracts in place that include restrictions on the processing of that personal information.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and respond to state AG and other regulatory investigations. For more information, please contact Eddie Holman, Tracy Shapiro, Roger Li, or another member of the firm's privacy and cybersecurity practice.