Sephora sign and logo on shop showing CCPA enforcement for privacy violation

Sephora Hit by First CCPA Enforcement Action, Settlement Carries $1.2 Million in Penalties for Targeted Advertising Privacy Violations

The first California Consumer Privacy Act (CCPA) enforcement action has just been handed down, resulting in $1.2 million in penalties and a mandatory compliance program for cosmetics giant Sephora. The case involved third party access to information about customer purchases and the types of devices they were using, a privacy violation under the state’s consumer law.

The CCPA enforcement actions began just a few months before the law is scheduled to be replaced by the California Privacy Rights Act (CPRA). California Attorney General Rob Bonta has indicated that further actions are planned, noting that the Sephora case stemmed from an “enforcement sweep” of online retailers and that non-compliance notices had been issued to a number of other businesses. The CCPA enforcement terms may actually wind up being relatively beneficial to some of these businesses, as the CPRA will put an end to the “notice and cure” provision when it activates on January 1.

First CCPA enforcement action looks to set tone despite looming rule change

The Attorney General’s investigation found that Sephora failed to disclose to consumers that personal information was being sold to third parties, and that it failed to process opt out requests that should have prevented this information from being sold. Sephora was given a 30-day cure notice but failed to make the requisite changes in time. Information about the exact items that customers were purchasing (or adding to a shopping cart) was sold for targeted advertising purposes, paired with their location and the brand of device they were using in some cases.

The $1.2 million in privacy violation penalties is accompanied by a number of injunctive terms. Going forward Sephora is required to bring its privacy policy and consumer disclosures up to CCPA compliance standard, ensure the mandatory Global Privacy Control is properly implemented to allow consumers to opt out, and report on these efforts to the Attorney General’s office.

The Global Privacy Control has been a mandatory component of the CCPA terms since they went into effect at the beginning of 2020. The system allows California consumers to active a permanent “do not sell” signal that websites are supposed to recognize without having the user click through any links or perform any manual actions specific to their site. The concept is essentially a rebirth of the “Do Not Track” technology; not all web browsers have implemented support for it, nor are required to in any way, but California businesses have been required to respect it when a user makes use of it since a July 2021 update to CCPA enforcement rules.

Some 112 businesses were reportedly contacted about privacy violations as part of the sweep that caught Sephora. The Attorney General’s office said that “most” of these got back into compliance during their 30 day notice period. For its part, Sephora issued a statement claiming that it has always been in compliance with CCPA rules and declined to acknowledge wrongdoing as part of its settlement.

Penalties for privacy violations may come as a surprise to some California businesses after long grace period

Though it was not a formal grace period, the lull of about two years between the onset of the state’s data privacy terms and these CCPA initial enforcement actions may have caused some businesses to believe that they had little to worry about until the CRPA took over in 2023. The specter of a federal law that could preempt California state law has also recently been raised by Congress in the form of the American Data Privacy and Protection Act.

Ilia Kolochenko, Founder/CEO/Chief Architect of ImmuniWeb, sees this as a near-term win for California consumers but a long-term problem that could end up being to their detriment: “Whilst being good news for consumers, this is an alarming trend for businesses. Contrasted to the EU, in the United States, there is still no nationwide and overarching privacy legislation on the federal level, pushing individual states to legislate on the matter and fill the gap. If the trend persists, in a decade, we will have 50 heterogeneous privacy and data protection regimes, making business in the US impossible both for domestic and foreign companies … polarized and incongruent enforcement from one state to another undermines the predictability and certainty of the legal landscape. That being said, federal legislation that would finally harmonize the American data protection regime is urgently needed.”

The key takeaway from the Sephora case is that CCPA enforcement is clearly on the table for at least the rest of this year, and that the Attorney General’s office is actively inspecting California websites for compliance. Consumers are able to bring state attention to potential CCPA violations via an online submission form. The case also illustrates that a failure to cure can trigger a broader investigation that potentially turns up additional privacy violations and leads to bigger fines.

Even those businesses that genuinely believe they are in compliance might still find themselves in the CCPA enforcement crosshairs due to some oversight, such as a failure to ensure that Global Privacy Controls are implemented and working properly. The CCPA does not limit “sale” of customer information to a strict exchange for money, adding “valuable consideration” as a factor governing any data sharing with partners. Loyalty programs that offer a financial incentive to consumers are also covered under these terms.

Jeff Sizemore, chief governance officer at Egnyte, adds that this decision should be a prompt for companies in any state with a comparable law (such as Colorado or Virginia) to review their compliance status: “The recent fine levied on Sephora by the state of California is a brutal wake-up call for organizations that don’t take rapidly-evolving data privacy regulations seriously.

“Critically important is the need to quickly review and immediately correct deficiencies that are provided in cure notices by state data privacy authorities. If your company does business in California, Virginia, Colorado, Utah or Connecticut, I encourage you to get prepared now for the new/updated legislation that will go into effect in 2023.”