Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company failed to disclose to consumers that it was selling their personal information, and failed to process consumer requests to opt-out of sale by either offering a Do Not Sell My Personal Information” link or via user-enabled global privacy controls. The order also requires Sephora to implement, assess, and report on a CCPA compliance program, in addition to other injunctive terms.

Treatment of Sales and Opt-Out Signals in the Settlement

The allegations in the complaint are consistent with the AG Office’s long-standing position that Do Not Sell is a central feature of the CCPA – the hallmark of the CCPA,” in the language of the complaint – and indicate that the AG takes a broad view of sales” under the CCPA. According to the complaint, the CCPA’s opt-out provision establishes certain straightforward rules: if companies make consumer personal information available to third parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be selling’ consumer personal information under the law.”

Taken together, the complaint and order entrench a sweeping view of sales: online tracking technologies” that make personal information available to third parties in exchange for monetary or other valuable consideration,” including analytics and free or discounted services” are defined as sales under the order. The AG alleges that Sephora disclosed its use of online tracking technology but not the sale of personal information. According to the complaint, the opposite was true: the privacy policy stated we do not sell personal information,” and the company did not offer an opt-out of sale by any method. (The complaint also includes a deception count under California’s Unfair Competition Law, which focuses on these representations.)

The online tracking” described in the AG’s complaint is not limited to Sephora’s use of advertising cookies, pixels, or other technology. The AG also alleges that Sephora’s use of analytics,” which is characterized as part of third-party surveillance,” constituted sales, and the order requires that Sephora enable restricted data processing for its service providers.

In addition to alleging sales through online tracking technologies, the AG’s complaint also charges Sephora with failing to respond to user-enabled global privacy controls (GPC). The complaint states that Sephora’s practices were investigated as part of a June 2021 sweep of large retailers,” to determine whether they continued to sell personal information when a consumer signaled an opt-out via the GPC.” Although the GPC remains a proposed specification, the complaint alleges Sephora completely ignored the GPC.”

Other Terms in the Order

In addition to imposing $1.2 million in civil penalties, the order requires Sephora to revise its disclosures and establish opt-out mechanisms via homepage link and GPC, to the extent that the company continues to sell personal information. The order also requires Sephora to conform its service provider agreements to the CCPA’s requirements, and provide an initial and two annual reports to the AG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.

What does this mean for businesses subject to CCPA?

First, if the AG sends a letter advising a business of CCPA violations, swift action may prevent additional investigation or enforcement action. Here, the complaint explains that the AG’s investigation followed Sephora’s fail[ure] to cure any of the alleged violations” and le[d] to this enforcement action.”

Second, companies that use technology to track consumer behavior online, which is ubiquitous, should reassess whether their practices result in CCPA sales. In particular, the AG may not regard analytics categorically to warrant treatment as a service provider offering.

Finally, it is important to continue to monitor developments on opt-out preference signals, which are addressed in greater detail in the CPPA’s draft regulations.

We’re keeping an eye on these issues, new case examples from the AG, and more.