All Things Newz
Law \ Legal

California Attorney General Announces $1.2 Million CCPA Settlement With Sephora Amid Ongoing Enforcement Sweep – Privacy Protection


To print this article, all you need is to be registered or login on

On August 24, 2022, California Attorney General Rob Bonta
announced a $1.2 million settlement with cosmetics retailer

to resolve allegations that it violated the California Consumer
Privacy Act (CCPA) and failed to cure those violations within the
CCPA’s 30-day cure period.

Specifically, the attorney general alleged that Sephora failed

  • Disclose that it “sold” personal information as
    defined under the CCPA when it allowed third-party advertising and
    analytics providers that did not qualify as “service
    providers” to track Sephora’s website and app users via
    cookies and other trackers.

  • Take steps required in connection with sales of personal
    information, which include providing an easy-to-find “Do not
    sell my personal information” link for users to opt out of
    those sales.

  • Treat signals from “user-enabled global privacy
    controls” the same as requests to opt out of the sale of
    personal information.

In addition to the monetary penalty, Sephora agreed to:

  • Clarify its online disclosures and privacy policy to include an
    affirmative representation that it sells personal information.

  • Provide mechanisms for consumers to opt out of the sale of
    personal information, including via the Global Privacy

  • Conform its vendor agreements to the CCPA’s requirements
    for service providers.

  • Provide reports to the attorney general relating to the
    company’s sale of personal information, the status of its
    service provider relationships and its efforts to honor Global
    Privacy Control.

The announcement also highlights other recent enforcement
activity summarized on the
attorney general’s website
, and notes that Bonta sent
notices to other businesses alleging violations of the CCPA’s
user-enabled global privacy control rules. These rules allow
consumers to opt out of sales of their personal information simply
by configuring certain browsers or plug-ins to automatically
transmit opt-out requests to the websites they visit.

The announcement is notable for several reasons:

  • It is a forceful response to low levels of compliance with the

    user-enabled global privacy control requirement
    , which have
    persisted despite efforts by the attorney general to call attention
    to the requirement in the first CCPA
    adopted in March 2020, a
    tweet sent by Bonta’s predecessor
    in January 2021,
    Bonta’s publication of
    enforcement actions focused on the requirement
    in July 2021,
    and California’s new privacy regulator, the California Privacy Protection
    , naming as its executive director
    Ashkan Soltani
    , one of the creators of the Global Privacy

  • It illustrates the attorney general’s view that
    “sales” of personal information can result from use of a
    wide range of advertising, analytics and other services, including
    those provided via commonly used cookies, pixels and similar
    technologies, if the vendor contract lacks the data use
    prohibitions necessary to qualify the vendor as a “service
    provider” under the CCPA.

  • It ends debate about how aggressively the attorney general
    would enforce the CCPA’s sale rules before the
    California Privacy Rights Act (CPRA)
    modifies them effective
    January 1, 2023.

  • It includes the pointed reminder that “businesses’
    right to avoid liability by curing their CCPA violations after they
    are caught is expiring” on January 1, 2023. The cure period
    has allowed dozens of
    businesses cited for violations
    to resolve them without
    penalties, which is a safety net that will disappear in the new

  • It echoes language used recently in the
    Federal Trade Commission’s advance notice of proposed

    by noting that the settlement underscores the rights
    consumers have under the CCPA to fight “commercial

  • The first check written to settle a CCPA enforcement action
    will be from a subsidiary of French multinational corporation LVMH
    Moët Hennessy Louis Vuitton, serving as a reminder of the
    CCPA’s global impact and the severe consequences that can
    result from ignoring its unique requirements, many of which are not
    imposed by the General Data Protection Regulation.

While businesses have appropriately focused their recent
compliance efforts on preparing for the
CPRA’s January 1, 2023, compliance deadline
and other state
privacy laws taking effect in 2023, Bonta’s announcement is a
warning not to ignore compliance gaps under the CCPA as it exists
today. The Sephora settlement shines a spotlight on the
user-enabled global privacy control requirement, as well as the use
of third-party cookies, pixels and trackers, but businesses should
not overlook the announcement’s reference to the attorney
general’s ongoing enforcement of the CCPA’s
financial incentive requirements
. Businesses would be
well-advised to reconsider their compliance posture in light of the
now considerable body of
from the attorney general’s office on these and
other requirements, which did not exist when most businesses
completed their initial CCPA compliance efforts, and in light of
the cure period’s expiration on January 1, 2023.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

The Rise Of Privacy Centers

Ankura Consulting Group LLC

As data privacy regulatory obligations continue to expand, more and more organizations are integrating privacy centers within their public-facing websites.

CFPB: Safeguard Consumer Data Or Face Liability

Sheppard Mullin Richter & Hampton

The CFPB recently published a circular clarifying liability under consumer financial protection law for financial companies that fail to safeguard consumer data.

GDPR Compliance: What Is Privacy Shield 2.0?

Keating, Meuthing & Klekamp PLL

Four years ago, the European Union (“EU”) began enforcement of the General Data Protection Regulation (“GDPR”). The GDPR is a comprehensive data privacy law enacted to create a…


Source link

Related posts

Another Blow To The Federal Contractor Vaccine Mandate – Government Contracts, Procurement & PPP

Employment Tip Of The Month – December 2022 –

Police claim to have identified Medibank cyber-criminals – Privacy Protection