On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc. (Sephora), a French multinational personal care and beauty products retailer. The settlement resolved Sephora’s alleged violations of the California Consumer Privacy Act (CCPA) for allegedly failing to: disclose to consumers that the company was selling their personal information, process user requests to opt out of sale via user-enabled global privacy controls, and cure these violations within the 30-day period currently allowed by the CCPA.

As part of the settlement, Sephora is required to pay $1.2 million in penalties and comply with injunctive terms, specifically:

  • Clarifying its online disclosures and privacy policy to include an affirmative representation that it sells personal information;
  • Providing mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control (GPC)
  • Conforming its service provider agreements to the CCPA’s requirements; and 
  • Providing reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor GPC.

The settlement is the among the most significant enforcement actions taken in the effort to ensure businesses comply with California’s privacy law – the first of its kind in the United States. Through the CCPA, consumers can ask businesses to stop selling their personal information to third parties, including those signaled by the GPC. GPC is a third-party tool that could be used by consumers to opt out of the sale of their personal information by automatically sending a signal to any site that is visited by the consumer.

People of the State of California v. Sephora USA, Inc.

The complaint filed by the California Office of the Attorney General (OAG) stated that the Attorney General commenced an enforcement sweep of large retailers to determine whether they continued to sell personal information when a consumer signaled an opt-out via the GPC. According to the complaint, the Attorney General found that activating the GPC signal had no effect when a consumer would visit the Sephora website and that data continued to flow to third party companies, including advertising and analytics providers. That led to the Attorney General’s conclusion that Sephora’s website allegedly was not configured to detect or process any global privacy control signals, such as GPC, and that Sephora allegedly took no action to block the sharing of personal information when a California consumer signaled their opt-out using the GPC. The complaint further highlighted the need for businesses to be transparent regarding their use of third-party trackers on their websites and mobile applications.

The complaint further alleged that when Sephora sells products online, it collects personal information about consumers, including products that consumers view and purchase, consumers’ geolocation data, cookies and other user identifiers, and technical information about consumers’ operating systems and browser types. It then makes this data available to third parties such as advertising networks, business partners, and data analytics providers by installing (or allowing the installation of) third-party trackers in the form of cookies, pixels, software development kits, and other technologies, which automatically send data about consumers’ online behavior to the third-party companies.

By allowing third-party companies access to its customers’ online activities, the complaint alleged that Sephora received discounted or higher-quality analytics and other services derived from the data about consumers’ online activities, including the option to target advertisements to customers that had merely browsed for products online. The complaint alleged that Sephora’s website and mobile app failed to inform consumers that it sells their personal information and that they have the right to opt-out of this sale, that it failed to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their site, and that it failed to provide two or more designated methods for submitting requests to opt-out. Under Cal. Civ. Code § 1798.140, the CCPA defines a “sale” of personal information to include a disclosure for monetary or other valuable consideration. 

Sephora also allegedly did not have valid service provider contracts in place with each third party that collected personal information when Sephora installed or allowed the use of cookies or relevant code on its website or app, which is one exception to “sale” under the CCPA. Once notified of its CCPA violations, Sephora had 30 days to cure as outlined under the law. However, the company allegedly failed to cure the alleged violations within the time period, thereby prompting the Attorney General to initiate an investigation which led to the enforcement action.

Key Takeaways

The settlement outlines that the “sale” of personal information includes the trade of consumers’ personal information with third parties in exchange for analytics services or placing third party advertising cookies on a website, and other automatic data collection technologies that allow access to consumers’ online activities in exchange for advertising or analytic services. Moreover, such activities will subsequently be considered as either a “sale” or “share” of information under the California Privacy Rights Act (CPRA), effective January 1, 2023. The settlement also drives home the importance of complying with a customer’s request to opt-out of the sale of information, particularly through GPC.

The Attorney General’s enforcement action in the Sephora case aligns with many of the CCPA Enforcement Case Examples previously published by the OAG, which revolve around the disclosure of material terms, consumer consent, cookie options, opt-out mechanisms, and the need to maintain an up-do-date privacy policy. In this enforcement action, OAG pays particular focus on compliance with a consumer’s exercise of their privacy rights.

Businesses should take note of the higher scrutiny devoted to the treatment of consumer data and make efforts to comply with the California privacy laws, including:

  • Assessing whether it uses cookies or other technologies that may be considered a “sale” or “sharing” of personal information for targeted advertising, analytics, or in exchange of other forms of value.
  • Ensuring that its privacy policies are transparent as to the collection, processing, sale and sharing of personal information. A company’s privacy policy should clearly state whether personal information is sold.
  • Confirming that it has established opt-out mechanisms to allow consumers the ability to exercise their opt-out rights. This can take the form of a “Do Not Sell My Personal Information” link at the bottom of the company’s website. More importantly, should a consumer exercise their opt-out rights, a business should ensure that it has an established mechanism to process the request. This would include reviewing website capabilities to recognize any Global Privacy Control signals issued by a consumer’s browser. The settlement makes clear that a business must ensure that any user who has “user-enabled global privacy controls” is treated that same as users who have clicked the “Do Not Sell My Personal Information” link. The impetus behind this requirement stems from the desire to give consumers the ability to stop their data from being sold and allow such consumer to universally opt-out of all online sales in one fell swoop, without the need to click each time on an opt-out link. Businesses should assess their website’s capability to recognize signals triggered by GPC and recognize that an enforcement action is possible if the business does not implement adequate mechanisms to comply with consumer’s opt-out requests.
  • Reviewing the obligations under the California Privacy Rights Act, which will be effective January 1, 2023.

Accordingly, businesses should be diligent in assessing their compliance with the California privacy law. Looking to the future, businesses may also want to review the recently introduced American Data Privacy and Protection Act, a federal legislation aimed at creating a comprehensive federal consumer privacy framework. While not yet adopted, this may provide additional information of how privacy at the federal level may unfold in the coming years.

* * *

Crowell & Moring LLP has a robust California Consumer Privacy Act Practice and is highly experienced at advising companies of all sizes on compliance with state privacy laws. Crowell also has an extensive library of alerts and resources associated with California’s privacy laws, including: CCPA 2.0? California Adopts Sweeping New Data Privacy ProtectionsCalifornia AG Interprets Inferences Under CCPA, and Enforcement of The California Consumer Privacy Act Via Letters Noticing Noncompliant Loyalty Programs and Online Tool for Consumers to Notify Businesses of Potential Violations.