Sephora To Pay $1.2 Million in Settlement with California Attorney General After Breach of California Consumer Privacy Act

California Attorney General Rob Bonta last month issued the first-ever enforcement action under the California Consumer Privacy Act (CCPA) against cosmetics retail chain Sephora. 

 

According to a press release dated Aug. 24, 2022 on the California Attorney General’s office website, the office conducted an enforcement sweep of online retailers and alleged that Sephora failed to disclose to consumers that it was selling their personal information. The retailer also allegedly failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and did not cure these violations within the 30-day period currently allowed by the CCPA.

 

The news, which was also posted to the Freeman Mathis and Gary Law official website in a blog post dated Sept. 1, states that the complaint against Sephora alleges that the company withheld information about the sale of its customers’ private information in its privacy notice. Through the use of its website, Sephora collects personal information and shopping history from its users. Sephora then provides said information to interested third parties, such as advertising companies and data analytics providers, in exchange for their services. Bonta deemed this arrangement a “sale” under the CCPA, as personal information was disclosed by one party to another party in exchange for money, according to the blog post.

 

“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale,” said Attorney General Bonta in the news release.

 

The CCPA was signed into law in 2018 and went into effect in 2020 and provides enhanced privacy rights for California’s consumers including the right to know about personal information a business collects and how it is used; the right to delete personal information collected about them; the right to opt-out of the sale of personal information; and the right to nondiscrimination for exercising these rights.  

 

The CCPA also requires that websites respect the preferences of consumers who opt to use Global Privacy Control – an all-in-one technical specification for opting out of the sale of all personal information on each website used by the indicated consumer. This privacy solution is provided via website browsers. 

 

The complaint alleged that Sephora failed to provide a “Do Not Sell My Personal Information” button or comply with additional opt-out requirements established by the CCPA. The complaint also alleges that Sephora failed to recognize the preferences of consumers who had enabled GCP on their browsers. 

 

As a result, Sephora agreed to a $1.2 million settlement and is required to adhere to other injunctive terms, according to the post. This includes a two-year requirement for Sephora to conduct annual assessments reporting on whether it has effectively processed consumer requests to opt out of the sale of their personal information. Sephora must also report the findings of said assessments to the California Attorney General’s office. 

 

The law firm encourages that businesses review their online privacy practices to ensure that they have CCPA-compliant controls in place on their websites and applications. Failure to do so result in the California attorney general’s issuance of such notices of non-compliance and enforcement actions for fines and injunctive terms. 

 

Enforcement of the California Privacy Rights Act will begin in 2023. 

 

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” said Bonta. “My office is watching, and we will hold you accountable.”