First CCPA Settlement
Just last week, on August 24th, 2022, California Attorney General, Rob Bonta, announced the very first settlement under the CCPA (California Consumer Privacy Act) since it became enforceable on July 1st, 2020. This settlement was reached between the California AG and Sephora, Inc following claims that the large makeup retailer violated a few aspects of the CCPA.
The violation that is stated in this settlement revolves around Sephora’s alleged failure to disclose its selling of California resident’s personal information to third-party advertising and analytics tools, failure to offer a “Do Not Sell My Personal Information” option for consumers to opt out of these practices, and a failure to comply to honor opt-out requests made via GPC signals.
Since this settlement marks the beginning of enforcement of California’s data privacy efforts, it has drawn the attention of many who hope to avoid being the next in line. In order to help organizations be able to prevent a similar situation, let’s look in more detail at what each of these alleged violations means.
- Failure to Disclose the Sale of Personal Information to Third-Party
The details from the California AG state that Sephora’s selling of customer personal information occurred when they implemented third-party trackers within their website. This included “cookies, pixels, software development kits, and other technologies that automatically send data about consumers’ online behavior to third-party companies.” Source. There is a clause within the CCPA that expressly prohibits the “exchange of personal information for anything of value” which they believe Sephora violated by providing access to their customer’s personal information to the aforementioned third parties in exchange for analytics for free or discounted rates or other advertising benefits. Beyond that, Sephora also did not have a contract with all of these companies so they were not acting as “service providers” within the rights of the law.
- Failure to Offer a “Do Not Sell” Option for Consumers
Just as we have seen with many of the data privacy laws that followed the lead of the CCPA, this law gives consumers the right to be able to ask a business what personal information they store on you and what they do with that information. Following this, you are supposed to be afforded the right to ask them to delete or “not sell” this information. In this area, it is being said that Sephora stated that they did not sell personal information rather than notifying consumers of what information had been sold or shared within the past year. At the core of this is that they did not provide a “Do Not Sell My Personal Information” link to ease this process.
- Failure to Implement Global Privacy Control Opt-Out Signals
Quick background: The GPC, which was developed as a response to the CCPA, is a “stop selling my data” switch that can be found in certain internet browsers or can be a browser extension. This serves as one acceptable way for consumers to opt out of the sale of their information. The idea behind this is that it serves as an option that signals a comprehensive opt-out request rather than individuals having to make requests on numerous websites or browsers. This follows a push to make the rights given to consumers simple to actually take advantage of.
Where Sephora went wrong in respect to the GPC is that they allegedly did not honor opt-out requests that were submitted via a GPC signal. This is the third violation that is brought against them in respect to the CCPA.
Just as we typically see with HIPAA settlements, the enforcement by the California AG will result in Sephora being required to pay its $1.2 million fine. This fine is quite large, partially due to the California AG counting each failure to honor a GPC request as a separate infraction against Sephora.
In addition to this fine, Sephora must submit to a monitoring and reporting program to ensure compliance with CCPA moving forward. This includes a 2-year required compliance program which assesses their handling of personal information and responses to opt-out requests. They must also monitor the third parties they share data with and treat them as service providers with the necessary contracts in place. Sephora is also required to submit an annual report to the AG that details their efforts to solve the issues that led to these violations while also admitting any problems or technical issues they experience along the way.
Overall this settlement shows us one thing: California is not messing around when it comes to data security and they want you to know that. These violations and the level of settlement should serve as a reminder to all California-based companies that they need to take a look at their own compliance and ensure that they have done all they need to do to avoid a similar settlement with their own company.