All Things Newz
Law \ Legal

Message Sent! California Attorney General Announces $1.2 Million CCPA Settlement With Retailer And Its Focus On The Sale Of Customer Information – Privacy Protection


To print this article, all you need is to be registered or login on

On August 24, 2022, California Attorney General (AG) Rob Bonta
announced a settlement with beauty products
retailer, Sephora USA, Inc. (“Sephora”), resolving claims
that Sephora violated the California Consumer Privacy Act (CCPA)
for, among other things, failing to disclose to consumers that it
was selling their personal information (including precise location
data) and failing to honor opt-out requests via global privacy
controls (GPC) broadcasted from users’ web browsers. The proposed settlement has been submitted to a
California state court for approval.

This settlement is noteworthy in that it is the AG’s first
CCPA enforcement action. After releasing the final proposed CCPA regulations in
June 2020
, businesses were given notice that enforcement would
begin on or after July 1, 2020 (even as regulations were still
being finalized, with additional amendments released in March 2021;
rulemaking authority has since been assumed the California Privacy
Protection Agency, which was established by the California Privacy
Rights Act of 2020). Since that time, the AG has released a host of
CCPA enforcement case examples that offered
basic information about various situations where the AG had sent a
notice of CCPA noncompliance to a covered entity, which then
remedied the purported violation within the 30-day cure period
currently allowed under the statute. The Sephora settlement is the
first enforcement and monetary settlement involving the AG over
alleged CCPA violations.

According to the AG’s complaint, Sephora allegedly installed
third-party tracking technology on its website and mobile app that
monitored and profiled user activity (including precise location
data) to assist Sephora with ad targeting. The complaint alleges
that the consumer data was packaged and sold by the third-party
data company to other businesses. The AG stated, “if companies
make consumer personal information available to third parties and
receive a benefit from the arrangement—such as in the form of
ads targeting specific consumers—they are deemed to be
“selling” consumer personal information under the
law” and are required to give notice to the customers.

The complaint alleged that Sephora did not provide consumers
with a clear and conspicuous “Do Not Sell My Personal
Information” link (or two or more designated methods for
submitting opt-out requests). The complaint also asserted that
Sephora allegedly failed to process GPCs or “user-enabled
global privacy controls” that gives consumers the option to
universally opt-out of all online sales with just an adjustment to
their web browsers. After being informed of these alleged
violations, the AG claimed that Sephora failed to cure within 30
days, prompting the AG investigation that led to this

Under the proposed settlement, Sephora agreed to pay $1.2
million in penalties and comply with various injunctive relief,
agreeing to:

  • Provide notice to consumers that it sells personal information
    and that consumers have a right to opt-out;

  • Provide consumer opt-out requests made via GPC;

  • Conform its service provider agreements to the CCPA’s
    requirements; and

  • Implement a compliance program surrounding CCPA opt-out
    requests and provide an annual report to the CAG for a period of
    two years relating its compliance regarding its sale of personal
    information and compliance with CCPA opt-out requests, the status
    of its service provider relationships, and its efforts to honor

Messages the AG Hopes Businesses Receive

First, the AG is focused on the use of data
tracking and what it calls “commercial surveillance”
(including the sale of precise location data) that generally occurs
without the full understanding of consumers. The language used by
the AG echoes terms used by the Federal Trade Commission (FTC) in its recent
Advance Notice of Proposed Rulemaking
regarding potential trade
regulations limiting commercial surveillance practices, among other
things. While comprehensive, bipartisan federal data privacy
legislation (e.g., the so-called ADPPA) remains in the U.S. Senate, data
privacy enforcement continues to be a priority for the states (and
the FTC).

Second, the enforcement and additional
announcement that the AG has sent out additional notices to
businesses alleging various failures to process consumer opt-out
requests made via GPC privacy controls underscores that this
particular violation is on the AG’s radar.

Third, the illustrative examples of prior CCPA
investigations and notices show that the AG is receptive to working
with businesses to remedy violations under the 30-day cure period
currently allowed under the CCPA. Still, looking ahead, it should
be noted that the CCPA’s notice and cure provision, which
mandates that businesses receive notice of a violation and an
opportunity to cure before the CAG can bring an action, will expire
on January 1, 2023. Thus, with this grace period soon ending,
businesses should reexamine their CCPA compliance to get ready to
be operating within the CCPA’s requirements on a tightrope of
sorts, without a safety net.

Message Sent! California Attorney General
Announces $1.2 Million CCPA Settlement With Retailer And Its Focus
On The Sale Of Customer Information

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

The Rise Of Privacy Centers

Ankura Consulting Group LLC

As data privacy regulatory obligations continue to expand, more and more organizations are integrating privacy centers within their public-facing websites.

GDPR Compliance: What Is Privacy Shield 2.0?

Keating, Meuthing & Klekamp PLL

Four years ago, the European Union (“EU”) began enforcement of the General Data Protection Regulation (“GDPR”). The GDPR is a comprehensive data privacy law enacted to create a…


Source link

Related posts

Queensland Building and Construction Commission Act 1991 (QBCC Act) – Construction & Planning

New Law On Tips And Gratuities Now In Force – Employee Benefits & Compensation

Your baby, your de facto, your ex – why dying without a will is a very bad idea – Wills/ Intestacy/ Estate Planning