chevron-down Created with Sketch Beta.

Business Law Today

August 2022

August 2022 in Brief: Internet Law & Cyber-Security

Juliet Marie Moringiello

August 2022 in Brief: Internet Law & Cyber-Security
spainter_vfx -

Jump to:

CCPA Settlement: Retailer Accused of Violation of Privacy Laws Agrees to Pay $1.2 Million Penalty to California Attorney General

By Alan S. Wernick, Esq., Aronberg Goldgehn

In the California Attorney General’s (“CAG”) ongoing enforcement of the California Consumer Privacy Act of 2018 (“CCPA”), retailer Sephora USA, Inc. (“Sephora”), entered into a recent settlement agreement to resolve allegations that they violated the CCPA. Sephora, without making any admissions concerning allegations against it, agreed to, among other things, the following:

  1. Pay CAG $1.2 million dollars in penalties.
  2. Clarify Sephora’s online disclosures and privacy policies to include an affirmative representation that it sells consumers’ data, and provide processes for consumers to opt out of the sale of personal information, including via the Global Privacy Control.
  3. Provide reports to the CAG relating to Sephora’s sale of personal information and its efforts to honor Global Privacy Control. These reports will include the identities of all entities to which Sephora makes available the consumer’s personal information, and whether such entity is considered, under CCPA, to be a service provider.

In his statement about this matter, the CAG noted, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.” Even if your business does not have a physical location in California, if your business handles California residents’ personal information, you may nonetheless be liable under the CCPA.

© 2022 Alan S. Wernick and Aronberg Goldgehn.

FTC Trade Regulation Rule on Commercial Surveillance and Data Security

By Rich Green, Gordon Rees Scully Mansukhani

The Federal Trade Commission’s August 22 Advance Notice of Proposed Rulemaking for privacy and data security (the “Data Protection ANPR”) is about getting answers. Specifically, the FTC seeks answers to ninety-five questions regarding how rulemaking might be used for, or affect, everything from e-commerce privacy to data security, to sector-specific consumer tracking and surveillance. There’s more to it than that, however. With the American Data Privacy Protection Act stalled, the Data Protection ANPR is as much about pushing Congress as it is FTC rulemaking—rulemaking FTC commissioner Noah Joshua Phillips noted in a statement that he feels it “go[es] beyond the Commission’s remit and outside its experience.” Time will tell. The public has until October 21 to provide comment.