On August 23, 2022, the California attorney general reached a $1.2 million settlement with Sephora USA, Inc., based on allegations that the company violated the California Consumer Privacy Act’s (CCPA) prohibition on selling consumer data to third parties. The attorney general had notified Sephora of the alleged violation and provided it with a 30-day window to cure the potential transgressions. The company failed to cure the alleged violations prompting an expansive investigation and culminating with this enforcement action.
The California attorney general began exercising enforcement authority under the CCPA on January 1, 2020. Among the CCPA’s enumerated rights for consumers, the cornerstone of the CCPA is the right to opt-out of the collection of personal information. In Sephora’s case, the Attorney General discovered that Sephora had installed on its website tracking devices supplied by third parties that monitored consumer’s shopping behavior. These devices collected data that included, but was not limited to, “whether a consumer is using a MacBook or a Dell, the brand of eyeliner that a consumer puts in their ‘shopping cart,’ and even the precise location of the consumer.” The stockpiled data also included purchasing practices that may lead to the conclusion that a woman is pregnant or entering menopause.
Under the CCPA, a consumer has the right to opt out of the collection and sale of this personal data by exercising a Global Privacy Control or simply clicking on a “Do Not Sell My Personal Information” link. Sephora’s website, however, failed to include these measures. The Attorney General became aware of Sephora’s shortfalls as part of an “enforcement sweep” of online retailers. The Attorney General’s office notified Sephora of its potential CCPA liability, and provided it with 30 days to cure its noncompliance. According to the Attorney General, Sephora did not cure any of the alleged CCPA violations, and the Attorney General initiated an investigation and concluded that Sephora was “selling” consumer data as defined by the CCPA. Moreover, it discovered that Sephora’s website was not configured to “detect or process and global privacy control signals,” which would exclude consumers who informed the company through a global opt-out signal not to sell their data. Based on these suspected violations the Attorney General initiated enforcement proceedings against Sephora, leading to a $ 1.2 million settlement with the company.