California v. Sephora

California v. Sephora
Photo by Deva Darshan / Unsplash

On August 24, 2022 we saw the first settlement under the California Consumer Privacy Act (“CCPA”). In a press release from the office of the California Attorney General Rob Bonta. Attorney General Bonta stated that “Sephora failed to disclose to consumers that it was selling their personal information, [and] it failed to process user requests to opt out of sale via user-enabled global privacy controls”  In its current form, the CCPA provides a 30 day cure period for companies who have received notice of violation from the CA AG. To date, this is the first instance where a company did not cure the alleged violation within the cure period (we’ve seen two batches of enforcement cases where businesses cured the alleged violations and avoided this litigation/settlement phase that Sephora is in).

For their violations, Sephora will have to pay a $1.2 million fine as well as implement a few changes, namely, Sephora must:

  • Clarify in its online disclosures and privacy policy that it sells data;
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control;
  • Conform its service provider agreements to the CCPA’s requirements; and
  • Similar to how the FTC requires companies to check back in with the FTC about its progress, Sephora must provide reports to the Attorney General about its compliance efforts with the above.

This isn’t a record breaking fine, but it is sending a message. Let's dig into the nuances of each violation and flush out that message.

The First Violation: Not Disclosing “Sales”

The first cited violation, not disclosing the sale of personal information in their privacy policy, is a fairly common action against businesses subject to CCPA. Specifically, Sephora placed third party advertising and analytics cookies/pixels (and other similar tracking technologies) on their website. The CA AG made it clear that such cookies are in fact a ‘sale’ under the CCPA and as such, need to be disclosed to consumers in Sephora’s privacy policy. We’ve seen from a number of previous enforcement cases released by the CA AG that privacy policies need to accurately disclose a business’ privacy practices. Given the simplicity of curing this alleged violation, it's a bit strange that Sephora chose not to remedy the issue and update their privacy policy; It's a small lift compared to the fine for violation and potential reputational issue of noncompliance.

The Second Violation: Not Honoring the GPC

Unlike the first violation, the alleged violation of not honoring a global privacy control (“GPC”) is unexpected given this provision of the CCPA is still in flux. The requirements surrounding the GPC are a large component of the current draft regulations - ‘draft’ as in not finalized.

As the law stands now, § 999.315(c) of the CCPA states,

If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

As this section shows, the text of the CCPA in its current form requires businesses to honor GPCs. I’ll give it to the CA AG, this language is unambiguous in the requirement for honoring GPCs. However, given the draft regulations largely redlined the above requirements (and even renamed them “Opt Out Preference Signals”) and moreover given that these draft regulations have not been finalized, it is still unclear what businesses must do in order to be considered in compliance. Having written a few comments ourselves, we know that these GPCs are the subject of many comments (which were due to the California Privacy Protection Agency (“CPPA”) in August). Because of the mutability of these obligations, it's an odd time for Attorney General Bonta to draw a hard line.

I’d wager that businesses are frustrated by being held to an obligation that is still unspecified. Especially considering that businesses will have to scramble to operationalize the upcoming regulations considering they won't be finalized until just a few short months before they are enforced.

Attorney General Bonta is Sending a Message

This Sephora GPC holding isn’t going to be a one off. In the press release, Attorney General Bonta made it clear that the GPC was front and center for enforcement, stating “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.

And Attorney General Bonta made it clear in the press release that these words aren’t hollow. He took the opportunity to reveal that further notices have already been sent to businesses. He put businesses on notice of three additional violations in the cross hairs: (1) online advertising businesses privacy disclosures need to be complete and understandable to the average consumer (no more hiding behind technical or vague language); (2) "Do Not Sell My Personal Information" links must work on all browsers and not contain dark patterns (aka they can’t be confusing or require additional steps); and (3) businesses operating loyalty programs cannot offer financial incentives in exchange for personal information without providing consumers with a notice of financial incentive (the CA AG has already done an enforcement sweep).

In sum, the message is this: the CA AG is serious about enforcing the CCPA. We recommend reviewing your company’s privacy practices now. Ensure your privacy policy accurately discloses your data practices and confirm that your business can and does honor the global privacy control across all browsers (we’ll learn more about the nuances of implementing the global privacy control when the regulations are finalized). In the meantime, quickly review your business’ privacy practices before the mandatory 30 day cure period for violations is gone on January 1, 2023.