chevron-down Created with Sketch Beta.
November 10, 2022 Practice Points

California Attorney General Reaches $1.2 Million Settlement with Sephora

The settlement was part of a continued enforcement of the California Consumer Privacy Act.

By Patrick Hromisin and Austin Strine

On August 23, 2022, the California attorney general reached a $1.2 million settlement with Sephora USA, Inc., based on allegations that the company violated the California Consumer Privacy Act’s (CCPA) prohibition on selling consumer data to third parties. The attorney general had notified Sephora of the alleged violation and provided it with a 30-day window to cure the potential transgressions. The company failed to cure the alleged violations prompting an expansive investigation and culminating with this enforcement action.

The California attorney general began exercising enforcement authority under the CCPA on January 1, 2020. Among the CCPA’s enumerated rights for consumers, the cornerstone of the CCPA is the right to opt-out of the collection of personal information. In Sephora’s case, the Attorney General discovered that Sephora had installed on its website tracking devices supplied by third parties that monitored consumer’s shopping behavior. These devices collected data that included, but was not limited to, “whether a consumer is using a MacBook or a Dell, the brand of eyeliner that a consumer puts in their ‘shopping cart,’ and even the precise location of the consumer.” The stockpiled data also included purchasing practices that may lead to the conclusion that a woman is pregnant or entering menopause.

Under the CCPA, a consumer has the right to opt out of the collection and sale of this personal data by exercising a Global Privacy Control or simply clicking on a “Do Not Sell My Personal Information” link. Sephora’s website, however, failed to include these measures. The Attorney General became aware of Sephora’s shortfalls as part of an “enforcement sweep” of online retailers. The Attorney General’s office notified Sephora of its potential CCPA liability, and provided it with 30 days to cure its noncompliance. According to the Attorney General, Sephora did not cure any of the alleged CCPA violations, and the Attorney General initiated an investigation and concluded that Sephora was “selling” consumer data as defined by the CCPA. Moreover, it discovered that Sephora’s website was not configured to “detect or process and global privacy control signals,” which would exclude consumers who informed the company through a global opt-out signal not to sell their data. Based on these suspected violations the Attorney General initiated enforcement proceedings against Sephora, leading to a $ 1.2 million settlement with the company.

The attorney general’s approach to Sephora reinforces the CCPA foundation that if a company sells consumer data as defined by the CCPA, then it must inform the consumer that (1) it is collecting and selling their data; and (2) they have the right to opt out of the sale of their information. Sephora did neither. It is evident that the attorney general is taking an aggressive stance on enforcing the CCPA. Indeed, after announcing the settlement with Sephora, the attorney general sent notices to a number of businesses alleging CCPA non-compliance relating to the business’s failure to provide opt-out requests in general and process opt-out request made via Global Privacy Controls. In light of these steps by California authorities, companies subject to the CCPA must do their due diligence and review their vendor contracts and practices involving user-tracking data to determine if consumer data is being collected, exchanged, or sold, and if so should take steps to comply with their CCPA obligations.

What You Need to Know:

  • If a company subject to the CCPA collects consumer data through a website, it must configure the site to detect and honor global privacy control signals (such as users’ browser settings) or opt-out requests.
  • Companies must be cautious when exchanging consumer data to third parties, including “advertising networks, business partners, [and] data analytics providers,” for services as the transaction may constitute a “sale” of personal information under the CCPA, triggering heightened compliance obligations.
  • If a company sells consumer information, as defined by the CCPA, it must inform the consumer of that fact and provide them with an opportunity to opt-out of that sale.
  • The California Attorney General appears to be taking an aggressive approach to enforcing the CCPA, particularly relating to failures to implement and process global privacy control opt-out protocols.

Patrick Hromisin is of counsel with Saul Ewing in Philadelphia, Pennsylvania. Austin Strine is an associate with Saul Ewing in Baltimore, Maryland.

Note: The contents of this Practice Point first appeared in similar form as a client alert on Saul Ewing’s website in August 2022.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Copyright © 2022, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).