Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company failed to disclose to consumers that it was selling their personal information, and failed to process consumer requests to opt-out of sale by either offering a “Do Not Sell My Personal Information” link or via user-enabled global privacy controls. The order also requires Sephora to implement, assess, and report on a CCPA compliance program, in addition to other injunctive terms.
Treatment of Sales and Opt-Out Signals in the Settlement
The allegations in the complaint are consistent with the AG Office’s long-standing position that Do Not Sell is a central feature of the CCPA – “the hallmark of the CCPA,” in the language of the complaint – and indicate that the AG takes a broad view of “sales” under the CCPA. According to the complaint, the CCPA’s opt-out provision establishes “certain straightforward rules: if companies make consumer personal information available to third parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be ‘selling’ consumer personal information under the law.”
The “online tracking” described in the AG’s complaint is not limited to Sephora’s use of advertising cookies, pixels, or other technology. The AG also alleges that Sephora’s use of “analytics,” which is characterized as part of “third-party surveillance,” constituted sales, and the order requires that Sephora enable restricted data processing for its service providers.
In addition to alleging sales through online tracking technologies, the AG’s complaint also charges Sephora with failing to respond to user-enabled global privacy controls (GPC). The complaint states that Sephora’s practices were investigated as part of a June 2021 sweep of “large retailers,” to determine “whether they continued to sell personal information when a consumer signaled an opt-out via the GPC.” Although the GPC remains a proposed specification, the complaint alleges Sephora “completely ignored the GPC.”
Other Terms in the Order
In addition to imposing $1.2 million in civil penalties, the order requires Sephora to revise its disclosures and establish opt-out mechanisms via homepage link and GPC, to the extent that the company continues to sell personal information. The order also requires Sephora to conform its service provider agreements to the CCPA’s requirements, and provide an initial and two annual reports to the AG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.
What does this mean for businesses subject to CCPA?
First, if the AG sends a letter advising a business of CCPA violations, swift action may prevent additional investigation or enforcement action. Here, the complaint explains that the AG’s investigation followed Sephora’s “fail[ure] to cure any of the alleged violations” and “le[d] to this enforcement action.”
Second, companies that use technology to track consumer behavior online, which is ubiquitous, should reassess whether their practices result in CCPA sales. In particular, the AG may not regard analytics categorically to warrant treatment as a service provider offering.
Finally, it is important to continue to monitor developments on opt-out preference signals, which are addressed in greater detail in the CPPA’s draft regulations.
We’re keeping an eye on these issues, new case examples from the AG, and more.