On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora to resolve allegations that it violated the California Consumer Privacy Act (CCPA) and failed to cure those violations within the CCPA's 30-day cure period.

Specifically, the attorney general alleged that Sephora failed to:

Disclose that it "sold" personal information as defined under the CCPA when it allowed third-party advertising and analytics providers that did not qualify as "service providers" to track Sephora's website and app users via cookies and other trackers.

Take steps required in connection with sales of personal information, which include providing an easy-to-find "Do not sell my personal information" link for users to opt out of those sales.

Treat signals from "user-enabled global privacy controls" the same as requests to opt out of the sale of personal information.

In addition to the monetary penalty, Sephora agreed to:

Clarify its online disclosures and privacy policy to include an affirmative representation that it sells personal information.

Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control.

Conform its vendor agreements to the CCPA's requirements for service providers.

Provide reports to the attorney general relating to the company's sale of personal information, the status of its service provider relationships and its efforts to honor Global Privacy Control.

The announcement also highlights other recent enforcement activity summarized on the attorney general's website, and notes that Bonta sent notices to other businesses alleging violations of the CCPA's user-enabled global privacy control rules. These rules allow consumers to opt out of sales of their personal information simply by configuring certain browsers or plug-ins to automatically transmit opt-out requests to the websites they visit.

The announcement is notable for several reasons:

While businesses have appropriately focused their recent compliance efforts on preparing for the CPRA's January 1, 2023, compliance deadline and other state privacy laws taking effect in 2023, Bonta's announcement is a warning not to ignore compliance gaps under the CCPA as it exists today. The Sephora settlement shines a spotlight on the user-enabled global privacy control requirement, as well as the use of third-party cookies, pixels and trackers, but businesses should not overlook the announcement's reference to the attorney general's ongoing enforcement of the CCPA's financial incentive requirements. Businesses would be well-advised to reconsider their compliance posture in light of the now considerable body of guidance from the attorney general's office on these and other requirements, which did not exist when most businesses completed their initial CCPA compliance efforts, and in light of the cure period's expiration on January 1, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.