In an age where many businesses regularly share consumer personal information, the California Attorney General sent a clear message to industry by announcing its first major enforcement action for violations of the California Consumer Privacy Act ("CCPA"). Passed in 2018, the CCPA went into effect on January 1, 2022, with the aim of giving consumers "more control" over their personal information collected online. On August 24, 2022, the California AG announced a landmark settlement in which Sephora USA, Inc., a retailer of personal care and beauty products, was required to pay $1.2 million in penalties and make specific changes to the way in which it tracks and uses consumer data. Under the CCPA, businesses have 30 days to cure alleged violations, after which they are subject to enforcement action. Perhaps due to the perceived unlikelihood of enforcement actually taking place, Sephora failed to comply. Consequently, the AG appears to have decided to make an example of the company.
Being aware of California's stance on consumer privacy rights is even more important as we approach the new year. Signed into law on November 3, 2020, the California Privacy Rights Act ("CPRA") will take effect and amend several portions of the CCPA on January 1, 2023. One of its most important impacts is that the 30-day grace period for a CCPA violation will no longer exist. In fact, under the CPRA, businesses will be subject to civil penalties immediately after the AG has deemed them to be in violation of the statute.
Sephora's CCPA Violation
The second major CCPA violation was that it did not honor consumer requests to opt-out of the sale of their personal information communicated via GPC signals. A GPC is a way for consumers to indicate their privacy preferences to a large number of websites without manually interfacing with each one. One example of how to set up a GPC mechanism is through a privacy configuration in an individual's web browser that signals the consumer's preferences when they visit sites on the Internet. The investigation by the California AG revealed that, while Sephora was receiving consumers' opt-out requests via GPCs, they were effectively ignoring them and continued selling the associated consumers' data. The AG's investigation also revealed that Sephora did not post a "Do Not Sell My Information" link on its home page, as required by the CCPA.
In addition to a $1.2 million fine, the settlement imposes various obligations on Sephora. Chief among them is Sephora's implementation of a program to monitor whether it is correctly honoring opt-out requests within 180 days of the settlement, and for a period of two years thereafter.
California Businesses Must Ready Themselves for the CPRA
The enforcement action against Sephora should send a clear message to businesses that California takes the privacy rights of its citizens very seriously. Until the end of the year, companies must take advantage of the 30-day period to cure any alleged CCPA violations that they receive notice of. Once the calendar turns, the CPRA will officially take effect. As stated, the CPRA is designed to provided stronger consumer data protections and, among a host of other changes, completely removes the grace period for any consumer data policy violations. The CPRA will also create a brand new administrative agency, the California Privacy Protection Agency ("CPPA"). The CPPA will enforce the State's privacy laws alongside the AG, and promulgate additional CCPA guidelines.
As readers of this blog know, California is not the only jurisdiction that is implementing major changes to further protect consumer privacy. Because of this national consumer data privacy trend, it is important that businesses consult with experienced data privacy attorneys to maintain compliance.
Related Blog Posts:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.