On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora to resolve allegations that it violated the California Consumer Privacy Act (CCPA) and failed to cure those violations within the CCPA's 30-day cure period.

Specifically, the attorney general alleged that Sephora failed to:

  • Disclose that it "sold" personal information as defined under the CCPA when it allowed third-party advertising and analytics providers that did not qualify as "service providers" to track Sephora's website and app users via cookies and other trackers.
  • Take steps required in connection with sales of personal information, which include providing an easy-to-find "Do not sell my personal information" link for users to opt out of those sales.
  • Treat signals from "user-enabled global privacy controls" the same as requests to opt out of the sale of personal information.

In addition to the monetary penalty, Sephora agreed to:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells personal information.
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control.
  • Conform its vendor agreements to the CCPA's requirements for service providers.
  • Provide reports to the attorney general relating to the company's sale of personal information, the status of its service provider relationships and its efforts to honor Global Privacy Control.

The announcement also highlights other recent enforcement activity summarized on the attorney general's website, and notes that Bonta sent notices to other businesses alleging violations of the CCPA's user-enabled global privacy control rules. These rules allow consumers to opt out of sales of their personal information simply by configuring certain browsers or plug-ins to automatically transmit opt-out requests to the websites they visit.

The announcement is notable for several reasons:

  • It is a forceful response to low levels of compliance with the user-enabled global privacy control requirement, which have persisted despite efforts by the attorney general to call attention to the requirement in the first CCPA regulations adopted in March 2020, a tweet sent by Bonta's predecessor in January 2021, Bonta's publication of enforcement actions focused on the requirement in July 2021, and California's new privacy regulator, the California Privacy Protection Agency, naming as its executive director Ashkan Soltani, one of the creators of the Global Privacy Control.
  • It illustrates the attorney general's view that "sales" of personal information can result from use of a wide range of advertising, analytics and other services, including those provided via commonly used cookies, pixels and similar technologies, if the vendor contract lacks the data use prohibitions necessary to qualify the vendor as a "service provider" under the CCPA.
  • It ends debate about how aggressively the attorney general would enforce the CCPA's sale rules before the California Privacy Rights Act (CPRA) modifies them effective January 1, 2023.
  • It includes the pointed reminder that "businesses' right to avoid liability by curing their CCPA violations after they are caught is expiring" on January 1, 2023. The cure period has allowed dozens of businesses cited for violations to resolve them without penalties, which is a safety net that will disappear in the new year.
  • It echoes language used recently in the Federal Trade Commission's advance notice of proposed rulemaking , by noting that the settlement underscores the rights consumers have under the CCPA to fight "commercial surveillance."
  • The first check written to settle a CCPA enforcement action will be from a subsidiary of French multinational corporation LVMH Moët Hennessy Louis Vuitton, serving as a reminder of the CCPA's global impact and the severe consequences that can result from ignoring its unique requirements, many of which are not imposed by the General Data Protection Regulation.

While businesses have appropriately focused their recent compliance efforts on preparing for the CPRA's January 1, 2023, compliance deadline and other state privacy laws taking effect in 2023, Bonta's announcement is a warning not to ignore compliance gaps under the CCPA as it exists today. The Sephora settlement shines a spotlight on the user-enabled global privacy control requirement, as well as the use of third-party cookies, pixels and trackers, but businesses should not overlook the announcement's reference to the attorney general's ongoing enforcement of the CCPA's financial incentive requirements. Businesses would be well-advised to reconsider their compliance posture in light of the now considerable body of guidance from the attorney general's office on these and other requirements, which did not exist when most businesses completed their initial CCPA compliance efforts, and in light of the cure period's expiration on January 1, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.