First Attorney General CCPA action results in $1.2 million settlement

Published on


Although portions of the California Consumer Privacy Act (“CCPA”) and regulations are not yet effective, California Attorney General’s (“AG”) office is not waiting to enforce. As it stands, the CCPA was modified by the California Privacy Rights Act (“CPRA”) and is not in full effect until January 2023. However, the majority of the CCPA is currently in effect and Sephora is the first one to feel it.

According to a complaint filed by AG’s office, Sephora is accused of violating the CCPA by (1) failing to properly notice consumers of collection data; (2) failing to post a “Do Not Sell My Personal Information” link; and (3) failing to respond and process consumer opt-outs via global privacy control signals, such as Global Privacy Control (“GPC”). This case particularly demonstrates what “selling” data means under the CCPA and how businesses should handle GPC.

Is your business “selling” data?

The CCPA broadly defines a sale as the exchange of personal information for anything of value. In this Sephora case, the AG’s office contends Sephora made customer data available to third parties for the purpose of obtaining advertising and analytics. The complaint mentions that Sephora provided a privacy policy to consumers disclosing that it shares information with third parties, which included “advertising networks, business partners, data analytics provides,” and others. However, the Complaint also details that Sephora shared this information in exchange for free or discounted analytics and advertising benefits. This was deemed as selling information and also contrary to Sephora’s representation that they “do not sell personal information”. Thus, the AG contends that Sephora violated the CCPA by both collecting the date and then transferring it without proper notice.

Should GPC signals be honored?

GPC signals allow users to signal their chosen privacy settings to websites and services through their browser. The signal also gives users the ability to opt out of the sharing and sale of their data. There has been much debate on whether a business should honor GPC signals since it has been argued that the CCPA leaves room for businesses to not accept them. As seen with the proposed regulation by the California Privacy Protection Agency (“CPPA”), there has been a push to mandate businesses to acknowledge GPC signals. Based on the AG’s case against Sephora, businesses should be ready to update their software to accept and respond to GPC signals.

What’s next?

The AG’s office has been adamant that Sephora is one of many businesses they are investigating for CCPA compliance. They have held firm that they are not trying to harm businesses and they are providing businesses guidance through the 30-day opportunity to cure. Nevertheless, they will enforce the CCPA to its full effect if there are any violations. Therefore, if you have a covered business under the CCPA you should reach out to a privacy professional to ensure you have an effective privacy compliance program tailored to your business.