First CCPA Enforcement Action Provides Lessons on Privacy Compliance

September 6, 2022
Publications

On August 24, 2022, the California Office of the Attorney General (“OAG”) announced its first public enforcement action under the California Consumer Privacy Act (“CCPA”). A proposed settlement between the OAG and French-based cosmetics retailer Sephora would require Sephora to pay $1.2 million in penalties to resolve allegations that the company violated the CCPA.

The settlement terms are documented in a Proposed Final Judgment and Permanent Injunction filed jointly by the parties, while the underlying allegations are detailed further in in a filed Complaint and an accompanying press release from the OAG.

In its press release, the OAG asserts that Sephora:

failed to disclose to consumers that it was selling their personal information;
failed to process user requests via user-enabled global privacy controls in violation of the CCPA; and,
did not cure these violations within the 30-day period currently allowed by the CCPA.

The OAG’s underlying Complaint against Sephora emphasizes that its enforcement efforts are targeted at the use of third-party tracking software by online retailers. The OAG’s focus appears to be on requiring businesses to allow consumers to effectively opt-out of the sharing of their personal information, including by use of an internet browser tool, the Global Privacy Control.

Key allegations of the Complaint include the following:

Third party tracking companies have been permitted access by online retailers to consumers’ personal information and personal information of website visitors, which these third parties keep and use for the benefit of their other business customers without the knowledge or consent of the consumers.
The data tracked through this “third-party surveillance” can include sensitive personal information, “such as prenatal and menopause support vitamins—data points which can be used by third-party companies to infer conclusions about women’s health conditions, like pregnancy.”
Sephora “sells products through its website, mobile application, and brick-and-mortar stores throughout California.”
When Sephora “sells products online, it collects personal information about consumers. This information includes the products that consumers view and purchase, consumers’ geolocation data, cookies and other user identifiers, and technical information about consumers’ operating systems and browser types.”
Sephora failed to tell consumers that Sephora was selling their personal information and failed to allow consumers to opt-out of those sales; “instead, Sephora did the opposite,” telling California consumers by its website that “we do not sell personal information.” Sephora also did not provide consumers with an easy-to-find “Do Not Sell My Personal Information” link, either on its webpage or in its app.
Sephora made consumers’ personal information available to third-party companies for the purpose of obtaining discounted analytics services from those companies, “such as data about what shoppers did on its website or in its app, like how many people looked at a particular product.”
Sephora’s third-party analytics provider would use data gathered from other sources (i.e., the websites of its other retailer customers) to identify consumers and allow Sephora to serve targeted advertisements to those shoppers on the provider’s advertising network.

While Sephora’s third-party analytics provider is not identified in the OAG’s Complaint, the practices at issue are exceedingly common on retail websites and may include the use of popular tools such as Google Analytics. Coincidentally, earlier in 2022, Sephora was a subject of a complaint to the French data protection authority regarding the legality of data transfers from the EU to the U.S. through use of Google Analytics.

The OAG’s Complaint against Sephora and the parties’ proposed settlement offer valuable lessons to businesses, especially online retailers and others utilizing third-party data analytics providers:

CCPA’s limitations on the “sale” of personal information may apply broadly to the sharing of such information with vendors.

The CCPA defines “sale” to mean: “… selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Notably, in enacting the CCPA statute, the California General Assembly rejected broader language from the underlying ballot initiative, which would also have defined “sale” to include: “… sharing orally, in writing, or by electronic or other means, a consumer’s personal information with a third party, whether for valuable consideration or for no consideration, for the third party’s commercial purposes.”

When the California General Assembly adopted the narrower statutory interpretation, there had been some suggestions that a “sale” would be interpreted not to occur without a mutual exchange of monetary or other valuable consideration.

Despite the narrower statutory definition, in announcing the proposed settlement with Sephora, the OAG contends that a “sale using online tracking technology” (a term not included or defined in the CCPA) constitutes a “sale” under the Act and occurs where a business discloses or makes available consumer personal information to third parties “through the use of online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies, in exchange for monetary or other valuable consideration, including, but not limited to: (1) personal information or other information such as analytics; or (2) free or discounted services.”

The OAG asserts such this tracking software allows third party data vendors to track “all types of data” “and even a consumer’s precise location” and create valuable profiles about individual consumers.

The OAG contends that Sephora’s arrangement with these third-party companies constituted a sale of personal information because “[r]etailers like Sephora benefit in kind from these arrangements, which allow them to more effectively target potential customers.”

The OAG’s Complaint here suggests that the narrower statutory interpretation has not won the day; rather, the OAG may be taking a broad interpretation that a sale occurs whenever a party obtains commercial benefits (e.g., free services or enhanced marketing of its own products) in exchange for sharing consumer data.

Privacy policies must exactly describe the nature and scope of a business’s sharing of consumer data.

Importantly, the CCPA does not entirely prohibit the data sharing practices in which Sephora allegedly engaged. Rather, as with most other practices, CCPA only requires that a business disclose such practices to consumers and allow them the opportunity to opt out.

Perhaps Sephora was surprised to learn that the OAG had taken the broader interpretation of “sale”, because Sephora’s website privacy policy is alleged to have “expressly told consumers ‘that we do not sell personal information.’” Sephora also did not provide the “Do Not Sell My Personal Information” link on its website and mobile application, which is required when a business sells such data.

Considering the OAG’s broad interpretation of “sale,” the sharing of personal information with third party vendors, such as data analytics providers, in exchange for “in-kind” consideration such as free services or for the benefit of enhanced marketing services may need to be considered a sale. Businesses undertaking such sharing then would need to update their privacy policies to account for such “sales” and to provide consumers with the required opt-out from the sale of their personal information.

Businesses must have contracts with third party service providers that receive consumer data.

In its Complaint, the OAG alleges that Sephora did not have “valid service provider contacts in place with each third party” that received Sephora’s consumer data.

The plain lesson here is that any business sharing personal information of California residents (or allowing access to such information) should have such written agreements in place with the recipients.

More interestingly, however, the OAG’s Complaint continues by noting that having valid service provider contracts in place with such third parties “is one exception to ‘sale’ under the CCPA.” CCPA, indeed, permits a business to share personal information with a “service provider” working on the business’s own behalf (including by enhancing the business’s own marketing efforts, presumably). But to do so, the business must have a written contract in place with the service provider that prohibits that provider from selling or sharing that information further, and from retaining, using, or disclosing that personal information for any purpose other than those set forth in the written contract.

It is worth noting again the emphasis placed by the OAG in its Complaint and press release on limiting third-party tracking software and the use of personal information by third parties to build consumer profiles that not only utilized to the benefit of each of their business customers, but which also are shared for the benefit of other business customers of that third party provider.

Given this, it may be that the OAG is not taking the sweeping interpretation that any sharing of personal information with third-party analytics providers is a “sale” subject to CCPA. Rather, the significantly more discrete issue here may be that Sephora shared consumer personal information with such a third-party provider without a written agreement restricting the provider from using that personal information for the provider’s own benefit or for the benefit of its other business customers.

If this is the case, then a business may still be able to avoid a conclusion that it sells personal information by limiting its contractual partners from onward use or sharing of such personal information for any purpose except to advance the business’s own marketing program. If this interpretation is correct, then the Sephora settlement is aimed more at reworking the digital marketing ecosystem then at forcing change to the privacy practices of an individual business.

Privacy compliance must adapt to emerging technologies like the Global Privacy Control.

The OAG Complaint and the proposed consent Order both emphasize that businesses must comply with the Global Privacy Control. The Global Privacy Control is a specification that can be set by users’ internet browsers and extensions to automatically convey an opt-out from the sale of personal information. The use of such tools avoids the user having to exercise their right by hitting the “Do Not Sell My Personal Information” link on each website they visit.

The OAG has endorsed the Global Privacy Control, and the Sephora settlement establishes that all businesses should make their sites compatible with this technology. Businesses should also stay abreast of and permit the use of evolving global privacy controls, opt-out mechanisms, and other technology intended to allow users to automate the exercise of their rights under the CCPA.

Businesses should respond promptly to update privacy practices upon notice from the OAG.

The OAG’s Complaint alleges that it notified Sephora of the alleged violations of the CCPA on June 25, 2021. Under CCPA, until January 1, 2023, the OAG is required to provide businesses with a 30-day cure period. Perhaps again suggesting that Sephora had been working under a good-faith assumption that its data-sharing practices did not constitute a “sale,” however, Sephora did not act immediately in response to that notice by updating its privacy policy to address its alleged “sales.” Sephora likewise did not immediately post a “Do Not Sell My Personal Information” link, and did not begin processing consumer opt-outs via the Global Privacy Control.

Now that OAG’s interpretation of “sale” has been made clear, businesses can avoid potential fines and penalties by adopting compliant measures now or promptly in response to an OAG notice to cure. The alternative would be to litigate whether OAG’s statutory construction of “sale” is a proper one, and thereby risk an uncertain outcome and substantial penalties.

Devin Chwastyk is a member of McNees Wallace & Nurick LLC and the Chair of the firm’s Privacy & Data Security Group. For more than 15 years, he has counseled businesses on compliance with emerging privacy laws, represented parties in data breach litigation, and helped clients respond to data security incidents. Christian Wolgemuth is an associate in the Group, and previously worked as a cybersecurity consultant for an international accounting and consulting firm.