On August 24, 2022 we saw the first settlement under the California Consumer Privacy Act (“CCPA”). In a press release from the office of the California Attorney General Rob Bonta. Attorney General Bonta stated that “Sephora failed to disclose to consumers that it was selling their personal information, [and] it failed to process user requests to opt out of sale via user-enabled global privacy controls” In its current form, the CCPA provides a 30 day cure period for companies who have received notice of violation from the CA AG. To date, this is the first instance where a company did not cure the alleged violation within the cure period (we’ve seen two batches of enforcement cases where businesses cured the alleged violations and avoided this litigation/settlement phase that Sephora is in).
For their violations, Sephora will have to pay a $1.2 million fine as well as implement a few changes, namely, Sephora must:
- Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control;
- Conform its service provider agreements to the CCPA’s requirements; and
- Similar to how the FTC requires companies to check back in with the FTC about its progress, Sephora must provide reports to the Attorney General about its compliance efforts with the above.
This isn’t a record breaking fine, but it is sending a message. Let's dig into the nuances of each violation and flush out that message.
The First Violation: Not Disclosing “Sales”
The Second Violation: Not Honoring the GPC
Unlike the first violation, the alleged violation of not honoring a global privacy control (“GPC”) is unexpected given this provision of the CCPA is still in flux. The requirements surrounding the GPC are a large component of the current draft regulations - ‘draft’ as in not finalized.
As the law stands now, § 999.315(c) of the CCPA states,
If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.
As this section shows, the text of the CCPA in its current form requires businesses to honor GPCs. I’ll give it to the CA AG, this language is unambiguous in the requirement for honoring GPCs. However, given the draft regulations largely redlined the above requirements (and even renamed them “Opt Out Preference Signals”) and moreover given that these draft regulations have not been finalized, it is still unclear what businesses must do in order to be considered in compliance. Having written a few comments ourselves, we know that these GPCs are the subject of many comments (which were due to the California Privacy Protection Agency (“CPPA”) in August). Because of the mutability of these obligations, it's an odd time for Attorney General Bonta to draw a hard line.
I’d wager that businesses are frustrated by being held to an obligation that is still unspecified. Especially considering that businesses will have to scramble to operationalize the upcoming regulations considering they won't be finalized until just a few short months before they are enforced.
Attorney General Bonta is Sending a Message
This Sephora GPC holding isn’t going to be a one off. In the press release, Attorney General Bonta made it clear that the GPC was front and center for enforcement, stating “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
And Attorney General Bonta made it clear in the press release that these words aren’t hollow. He took the opportunity to reveal that further notices have already been sent to businesses. He put businesses on notice of three additional violations in the cross hairs: (1) online advertising businesses privacy disclosures need to be complete and understandable to the average consumer (no more hiding behind technical or vague language); (2) "Do Not Sell My Personal Information" links must work on all browsers and not contain dark patterns (aka they can’t be confusing or require additional steps); and (3) businesses operating loyalty programs cannot offer financial incentives in exchange for personal information without providing consumers with a notice of financial incentive (the CA AG has already done an enforcement sweep).