Sephora Hit by First CCPA Enforcement Action, Settlement Leads to $1.2M Penalties for Targeted Advertising Privacy Breaches


The first California Consumer Privacy Act (CCPA) enforcement action has just been handed down, resulting in $1.2 million in penalties and a mandatory compliance program for cosmetics giant Sephora. The case involved third-party access to information about customers’ purchases and the types of devices they used, a privacy violation under the state’s consumer law.

CCPA enforcement actions began just months before the law was replaced by the California Privacy Rights Act (CPRA). California Attorney General Rob Bonta said more action is planned, noting that the Sephora case stemmed from an “enforcement sweep” of online retailers and notices of non-compliance had been issued. issued to a number of other companies. The CCPA’s terms of application may actually be relatively advantageous for some of these companies, as the CPRA will end the “notice and remedy” provision when it is activated on January 1.

CCPA’s first enforcement action appears to be setting the tone despite impending rule change

The attorney general’s investigation found that Sephora failed to disclose to consumers that personal information was being sold to third parties and failed to process takedown requests that should have prevented the sale of that information. Sephora received a 30-day cure notice but failed to make the required changes in time. Information about the exact items customers purchased (or added to a cart) was sold for targeted advertising purposes, associated with their location and the brand of device they were using in some cases.

The $1.2 million privacy breach penalties come with a number of injunctive conditions. Going forward, Sephora is required to bring its privacy policy and consumer disclosures up to the CCPA compliance standard, to ensure that mandatory global privacy controls are properly implemented to enable consumers to opt out , and to report on these efforts to the Attorney General’s Office.

Global Privacy Control has been a mandatory part of the CCPA Terms since they went into effect in early 2020. The system allows California consumers to activate a permanent “do not sell” signal that websites are supposed to recognize without the user clicks through links or performs manual actions specific to their site. The concept is essentially a revival of “Do Not Track” technology; not all web browsers have implemented support for this, and are under no obligation to do so, but California companies are required to honor it when a user uses it since a July 2021 update of the CCAC application rules.

Some 112 companies were reportedly contacted about privacy breaches as part of the sweep that caught Sephora. The attorney general’s office said “most” of them returned to compliance within their 30-day notice period. For its part, Sephora issued a statement saying it has always complied with CCPA rules and refused to admit wrongdoing as part of its rules.

Penalties for privacy violations may surprise some California companies after long grace period

While not an official grace period, the roughly two-year lull between the start of the state’s data privacy terms and these initial CCPA enforcement actions may have -being led some companies to believe they needn’t worry until CRPA takes over in 2023. The specter of federal law that could override California state law was also recently mooted by Congress in the form of the US Data Protection and Privacy Act.

Ilia Kolochenko, Founder/CEO/Chief Architect of ImmuniWeb, sees this as a short-term win for California consumers, but a long-term problem that could end up hurting them: trend for businesses. Unlike the EU, in the US there is still no comprehensive, national privacy legislation at the federal level, prompting individual states to legislate and fill the void. . If the trend continues, in a decade we will have 50 heterogeneous privacy and data protection regimes, making doing business in the United States impossible for both domestic and foreign companies… a polarized and incongruous application of one state to the other undermines the predictability and certainty of landscape law. That being said, federal legislation that would finally harmonize the US data protection regime is urgently needed.

The key takeaway from the Sephora case is that CCPA enforcement is clearly on the table for at least the rest of this year and that the Attorney General’s office is actively inspecting California websites to ensure that they are compliant. Consumers can bring potential CCPA violations to the state’s attention through an online submission form. The case also illustrates that a failure to cure can trigger a wider investigation that could uncover additional privacy breaches and lead to larger fines.

Even companies that sincerely believe they are in compliance can still find themselves in the crosshairs of CCPA enforcement due to certain oversight, such as the failure to ensure that global privacy controls are implemented and working properly. The CCPA does not limit the “sale” of customer information to a strict exchange of money, adding “valuable consideration” as a factor governing any sharing of data with partners. Loyalty programs that offer a financial incentive to consumers are also covered by these terms.

Information about the exact items Sephora customers purchased (or added to cart) was sold for targeted advertising purposes, associated with their location and the brand of device they were using in some cases. #CCPA #privacy #respectdataClick to tweet

Jeff Sizemore, director of governance at Egnyte, adds that the decision should prompt companies in any state with comparable law (such as Colorado or Virginia) to review their compliance status: “The recent fine imposed on Sephora by the state of California is a stark red flag for organizations that don’t take rapidly changing data privacy regulations seriously.

“The need to promptly review and immediately correct deficiencies provided in processing notices by national data privacy authorities is of critical importance. If your company does business in California, Virginia, Colorado, Utah or Connecticut, I encourage you to prepare now for the new/updated legislation that will take effect in 2023.”


About Author

Comments are closed.