The Sephora CCPA Settlement – How California’s First Fine Can Help Businesses Understand Their Privacy Requirements

In August, California’s Attorney General announced a settlement with Sephora that carried a $1.2 million dollar fine for Sephora’s California Consumer Privacy Act (CCPA) violations. This is the first CCPA action taken by California that resulted in a fine and settlement. It is important to understand what the California Attorney General alleged Sephora did in violation of the CCPA, so that your business does not face a similar scenario.

The CCPA

In June of 2018, the CCPA was signed into law, creating specific privacy rights for Californians and significant data protection obligations for businesses. The law provides California consumers have the right to: (i) Know about the personal information a business collects about them and how it is used and shared; (ii) Delete personal information collected from them (with some exceptions); (iii) Opt-out of the sale of their personal information; and (iv) Non-discrimination for exercising their CCPA rights. Each of these rights for consumers places obligations and burdens on businesses.

The CCPA currently only applies to for-profit business that do business in California and, (i) Have a gross annual revenue of over $25 million; (ii) Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or (iii) Derive 50% or more of their annual revenue from selling California residents’ personal information.

The Allegations

The complaint filed by the Attorney General made four main allegations that Sephora failed to: (i) Disclose that Sephora sold consumer information to third parties; (ii) Post a “Do Not Sell My Personal Information” link on its website; (iii) Have sufficient agreements in place with third-party service providers to prevent data transfer to those third parties being considered a sale under the CCPA; and (iv) Process opt out preferences received from user-enabled global privacy controls (GPCs). Importantly, the complaint noted that Sephora received 30 days’ notice of their violations as required under the CCPA, but failed to cure them.

Technical Tools Allegedly Misued

Per the complaint, Sephora used automatic third-party tracking technology (such as cookies and pixels) to collect personal information. This technology enabled third-party digital advertisers to monitor information (including precise location data) on consumers (such as what items a consumer put in their cart). The third-party advertisers then used this data to create their own profiles of Sephora’s consumers, and in turn provided Sephora free space for targeted advertising. Per the California Attorney General, this process constituted a “sale” of personal information. This settlement made clear a sale can occur when a business allows a third-party (such as an analytics provider) to collect personal information for the third-party’s own benefit in exchange for providing free services to the business. Put simply, a sale does not need to include monetary consideration to be considered a “sale”. Because Sephora allegedly failed to include affirmative representations that it sells personal information, it violated the CCPA.

Sephora also allegedly failed to provide and honor mechanisms for consumers to opt-out of the sale of their personal information. Sephora’s alleged violation included failing to recognize signals triggered by GPCs. A GPC gives consumers the option to universally opt-out of all online sales of their data by adjusting their web browser. A consumer’s use of a GPC then sends a signal to Sephora of the consumer’s opt-out preference, which Sephora also allegedly failed to honor.

The Settlement

Sephora agreed to pay a 1.2 million dollar fine. It also agreed to provide the Attorney General regular compliance reports for two years.

Main Takeaways

• Failure to provide opt out mechanisms and honor GPCs is a violation of the CCPA
• A sale can occur when a business allows a third-party (such as an analytics provider) to collect personal information for the third-party’s own benefit in exchange for providing free services to the business. A sale does not need to include monetary consideration
• Curing violations after receiving notice may be enough to avoid further action by California’s Attorney General. Per the CCPA, a company has 30 days to cure violations following receipt of notice from the Attorney General

Should you wish to discuss this settlement and its impact on privacy compliance, please reach out to a member of HMB’s Data Privacy team.