Sephora Pays $1.2M to Settle CA Privacy Law Claims under CCPA
Enforcing the relatively new California Consumer Privacy Act (CCPA), the State of California has secured a $1.2M settlement [PDF] stemming from allegations that Sephora USA, Inc. (Sephora) sold information about people without their full consent. Sephora also allegedly failed to process consumers’ requests to opt-out of the sale of this info, in violation of the state’s privacy law. According to court documents, [PDF], Sephora allegedly granted third-party companies including advertising networks and data analytics providers access to its customers’ online activities in exchange for advertising or analytic services. This allegedly allowed these third parties to create profiles of citizens by tracking online activities such as what type of computer is being used (MacBook® or Dell®), the brand of eyeliner they bought, or even which prenatal vitamins they added to their online shopping cart, as well as their precise location. According to California Attorney General Rob Bonta (AG Bonta) and the Complaint, the trade of personal information for analytics and the trade of information for an advertising option constitutes sales under the CCPA.
Sephora did not agree. Sephora claimed that it uses data strictly for Sephora experiences, and Sephora argued that the CCPA does not define a “sale” in the traditional sense. According to Sephora, the CCPA definition of “sale” includes common, industry-wide technology practices such as cookies which allows Sephora to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences, and ads. Sephora also explained that since November 2021, its customers have had the opportunity to electively “opt-out” of this personalized shopping experience or by using a browser that broadcasts a “do not sell” signal across every website the customer visits, without the need to click each time on an “opt-out” link, such as the Global Privacy Control (GPC).
The state’s investigation used browser extensions to monitor network traffic involving third-party advertising and analytics providers when visiting Sephora’s dot com and then looked at how that traffic changed when consumers turned on the GPC — essentially telling Sephora: do not sell my info. According to the complaint, Sephora’s website ignored that signal, and the state, when investigating Sephora’s website, found that activating the GPC had no effect and that data continued to flow to third-party companies, including advertising and analytics providers. According to the state, Sephora failed to configure its website to detect or process any global privacy control signals, including the GPC.
In sum, Sephora completely ignored the GPC. The complaint and resulting settlement firmly establish that applicable companies must ensure that their website interfaces with the GPC or other global privacy control signals. Requiring a customer to “opt out” of individual websites separately is not sufficient. California AG Bonta expressly makes clear that his office is watching – and monitoring – company website activities as they relate to consumer privacy and security and will prosecute for failure to comply with the CCPA.
Contact Our Attorneys Today
The attorneys at Kendall PC have over three decades of legal experience serving as general, litigation, and special counsel to a wide variety of regulated industry entities. Our firm offers comprehensive legal services to clients facing regulatory litigation matters, including fraud and abuse government investigations.
To learn how our attorneys can help your company, contact Kendall PC today online or at (484) 414-4093. Our firm proudly serves small, midsized, and emerging businesses throughout the United States and across the globe.
