Media Center

Lessons Learned on Privacy Compliance from the Enforcement Action Against Sephora

September 7, 2022

On August 24, 2022, the California Attorney General announced its first enforcement action – including a fine for $1.2 million – under the California Consumer Protection Act (“CCPA”).  The Attorney General brought its enforcement action by filing a civil complaint against Sephora.  The following day, and the same day the Attorney General announced the enforcement action, the parties filed a proposed settlement agreement that was approved by the Superior Court of the State of California.  Under the settlement agreement, Sephora will pay a fine of $1.2 million and be required to undertake significant remedial measures for its violations of the CCPA.  McNees’s full analysis of the settlement and its ramifications for businesses (especially online retailers and marketers) was published in the Legal Intelligencer and is summarized below.

Sephora’s business practices, as alleged in the civil complaint, are likely to sound familiar to many businesses operating online.  The Attorney General asserts that Sephora installed third-party tracking software on its website and in its app so that those third parties could monitor consumers while they shop.  The third parties used the data they collected to build profiles of those consumers who visited Sephora’s website and app, and then used those profiles for Sephora’s benefit.  In exchange for allowing the collection of data, Sephora received discounted website analytics and targeted advertising from those third parties.

According to the Attorney General, this arrangement constituted a sale of personal information.  The CCPA defines a “sale” as the “… selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”  Emphasis added.  In its complaint, the Attorney General applied that broad rule and stated that “if companies make consumer personal information available to third parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be ‘selling’ consumer personal information under the [CCPA].”

Selling consumer personal information is not strictly prohibited by the CCPA.  Sephora would not have been on the receiving end of the Attorney General’s enforcement action but for its failure to meet its obligations that stem from the sale of consumer personal information.  Specifically, the complaint alleges that:

  • Sephora sold consumer personal information (as described above);
  • Sephora failed to disclose to consumers in its privacy policy that it was selling their personal information;
  • Sephora failed to give consumers the option and ability to opt out of the sale of their personal information using a “Do Not Sell My Personal Information” link on its webpage and app;
  • Sephora failed to process and honor consumers’ automatic requests to opt out of the sale of their personal information via user-enabled Global Privacy Controls;
  • Sephora did not have adequate contractual provisions in place with its service providers to protect consumers’ personal information (which would have provided an exception to the “sale” of personal information under the CCPA); and
  • Sephora failed to cure these defects during the 30-day grace period currently allowed by the CCPA.

When announcing the terms of the settlement – including the $1.2 million fine and other injunctive and compliance measures – the Attorney General gave a stark warning to businesses who sell personal information, and, in referencing this and future enforcement actions, said “the kid gloves are coming off.”  Accordingly, there are several lessons that businesses should take now if they, like Sephora, are subject to the California Consumer Protection Act:

  1. Businesses must review their privacy policies and ensure they adequately disclose whether they are selling consumer personal information.

At the heart of the Attorney General’s complaint was the allegation that Sephora failed to disclose to consumers that it was selling their personal information.  As previously discussed, the arrangement whereby Sephora received discounted analytics and targeted advertising from third parties in exchange for allowing third parties to gather information about visitors to Sephora’s website and app constituted a “sale” under the CCPA.  Selling personal information is not strictly barred by the CCPA, but if companies engage in a transfer of personal information and receive a benefit for it, they must disclose the practice as a “sale” in their privacy policy.

  1. Privacy policies must include a “Do Not Sell My Personal Information” link.

The CCPA requires businesses to give consumers the right to opt out of the sale of their personal information via a “Do Not Sell My Personal Information” link found in their privacy policies.  By not including this opt-out mechanism in its privacy policy, Sephora failed to provide the opt-out right to consumers that the CCPA requires.  Any business engaged in the “sale” of consumer personal information must ensure that its privacy policy includes this standardized opt-out mechanism.

  1. Businesses must implement automatic processing of Global Privacy Controls into their websites.

The Global Privacy Control is a specification that can be set by users’ internet browsers and extensions to automatically convey an opt-out from the sale of personal information. The use of such tools avoids the user having to exercise their right by hitting the “Do Not Sell My Personal Information” link on each website they visit.  The Attorney General has endorsed the Global Privacy Control, and the Sephora settlement establishes that all businesses should make their sites compatible with this technology. Businesses should also stay abreast of and permit the use of evolving technical standards (like the Global Privacy Control), opt-out mechanisms, and other technology intended to allow users to automate the exercise of their rights under the CCPA.

  1. Businesses should review their contracts with service providers to ensure the transfer and handling of personal information does not constitute a “sale.”

The Attorney General’s complaint against Sephora specifically states that having “valid service-provider contracts in place with each third party” is an “exception to ‘sale’ under the CCPA.”  Businesses should take advantage of the protections offered by this exception and consider modifying the contracts they have with service providers to comply with the requirements of the CCPA.

  1. Businesses should respond promptly to cure any defects in their privacy practices upon notice from the Attorney General.

Under the CCPA, the Attorney General is required to provide businesses with notice of any alleged violations and grant them a 30-day cure period to rectify those violations.  While Sephora may have been operating under a good-faith assumption that its practices did not violate the CCPA, the Attorney General found that its privacy practices did not comply with the CCPA, and Sephora faced steep penalties as a result.  Accordingly, any business who receives a notice of violations from the Attorney General should take immediate action to update its privacy practices and bring them into compliance with the CCPA.

The Privacy & Data Security Group at McNees Wallace and Nurick LLCcan help businesses make sense of the CCPA and the quickly evolving privacy landscape across the United States.  We help our clients determine which laws they may be subject to, whether they could be viewed as “selling” the data in their possession and help them to meet their compliance requirements and obligations under varying state and federal laws.  With help from the McNees team, our clients are able to implement solutions to avoid costly enforcement actions, disruptions to normal business operations, and negative public sentiment.

© 2022 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.