In an age where many businesses regularly share consumer personal information, the California Attorney General sent a clear message to industry by announcing its first major enforcement action for violations of the California Consumer Privacy Act ("CCPA"). Passed in 2018, the CCPA went into effect on January 1, 2022, with the aim of giving consumers "more control" over their personal information collected online. On August 24, 2022, the California AG announced a landmark settlement in which Sephora USA, Inc., a retailer of personal care and beauty products, was required to pay $1.2 million in penalties and make specific changes to the way in which it tracks and uses consumer data. Under the CCPA, businesses have 30 days to cure alleged violations, after which they are subject to enforcement action. Perhaps due to the perceived unlikelihood of enforcement actually taking place, Sephora failed to comply. Consequently, the AG appears to have decided to make an example of the company.
Being aware of California's stance on consumer privacy rights is even more important as we approach the new year. Signed into law on November 3, 2020, the California Privacy Rights Act ("CPRA") will take effect and amend several portions of the CCPA on January 1, 2023. One of its most important impacts is that the 30-day grace period for a CCPA violation will no longer exist. In fact, under the CPRA, businesses will be subject to civil penalties immediately after the AG has deemed them to be in violation of the statute.
Sephora's CCPA Violation
The California AG's Complaint against Sephora alleged two major CCPA violations and included associated claims. The State alleged that: 1) Sephora failed to inform consumers that it sold their personal information to third parties; and 2) it did not honor consumer opt-out requests communicated through Global Privacy Controls ("GPCs"). By now, most online shoppers understand that there is a bit of "commercial surveillance" that occurs as they peruse online offerings. Countless websites track visitor actions and movements to improve advertisement targeting. In Sephora's case, it allowed third parties to track all kinds of consumer information, such as device IDs, consumer locations, and the types and brands of products that consumers were adding to their "carts." While the tracking itself was not at issue here, the fact that Sephora received a material benefit from making the consumer information available to third parties made the tracking arrangement a sale for CCPA purposes. It seems that Sephora not only failed to disclose that it was sharing/selling consumer information with/to third parties, it also represented in its privacy policy that it in fact would not. In addition, Sephora did not have valid service provider contracts in place with the third party entities that received the consumer data. The California AG deemed the foregoing to be a clear violation of the CCPA.
The second major CCPA violation was that it did not honor consumer requests to opt-out of the sale of their personal information communicated via GPC signals. A GPC is a way for consumers to indicate their privacy preferences to a large number of websites without manually interfacing with each one. One example of how to set up a GPC mechanism is through a privacy configuration in an individual's web browser that signals the consumer's preferences when they visit sites on the Internet. The investigation by the California AG revealed that, while Sephora was receiving consumers' opt-out requests via GPCs, they were effectively ignoring them and continued selling the associated consumers' data. The AG's investigation also revealed that Sephora did not post a "Do Not Sell My Information" link on its home page, as required by the CCPA.
In addition to a $1.2 million fine, the settlement imposes various obligations on Sephora. Chief among them is Sephora's implementation of a program to monitor whether it is correctly honoring opt-out requests within 180 days of the settlement, and for a period of two years thereafter.
California Businesses Must Ready Themselves for the CPRA
The enforcement action against Sephora should send a clear message to businesses that California takes the privacy rights of its citizens very seriously. Until the end of the year, companies must take advantage of the 30-day period to cure any alleged CCPA violations that they receive notice of. Once the calendar turns, the CPRA will officially take effect. As stated, the CPRA is designed to provided stronger consumer data protections and, among a host of other changes, completely removes the grace period for any consumer data policy violations. The CPRA will also create a brand new administrative agency, the California Privacy Protection Agency ("CPPA"). The CPPA will enforce the State's privacy laws alongside the AG, and promulgate additional CCPA guidelines.
As readers of this blog know, California is not the only jurisdiction that is implementing major changes to further protect consumer privacy. Because of this national consumer data privacy trend, it is important that businesses consult with experienced data privacy attorneys to maintain compliance.
Related Blog Posts:
Coming Soon: A Federal Privacy Policy Mandate
California Strengthens its Automatic Renewal Law
Connecticut Privacy Law Advances to House
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
