A settlement was reached in August 2022 between cosmetics giant, Sephora USA, Inc., and the California Attorney General. The Attorney General’s office alleged that Sephora violated the California Consumer Privacy Act (CCPA). According to a complaint, Sephora sold customer data and information without customer consent.
SEPHORA’S INVOLVEMENT
The Sephora settlement marks a significant outcome under the state’s 2018 privacy law. The beauty retailer paid $1.2 million in settlement fees and ensured that customer data won’t be sold without consumer consent again.
During an investigation conducted on the sales practices of online retailers, the California Attorney General, Rob Bonta’s, office discovered that Sephora not only failed to disclose the usage and sale of customer data, but it failed to adhere to opt-out requests from customers as well. Neglecting any regulatory practices, Sephora arranged to sell customer information to third-party companies that would monitor customers while they shopped on Sephora’s online store.
NEWS: We reached a settlement with @Sephora for failing to disclose that it was selling consumer data, failing to honor requests to opt-out of sale, and failing to fix these violations.
— Rob Bonta (@AGRobBonta) August 24, 2022
I hope this sends a message to businesses not complying with the #CCPA: CADOJ is watching. pic.twitter.com/AykCylWTZN
Bonta alleged that Sephora benefitted from selling consumer data after collecting personal information through cookies and pixels on their mobile app and website. The cosmetic company argues that “sale” of such data was to provide customers with tailored shopping experiences by recommending relevant Sephora products or promoting personalized ads. While Sephora does not admit fault, they have agreed to abide by the rules of the settlement agreement, providing transactional reports that assess the recipients of Sephora’s collection of personal information.
This issue doesn’t stem from the policies at play alone, it also falls on the practices that are not. Bonta’s complaint also alleges that Sephora failed to honor consumer Global Privacy Controls (GPCs). Sephora claims that their website was not structured to detect GPC signals. These GPC indicate a customer’s decision to opt-out of services such as the permission to have their data sold. Per the terms of the settlement agreement, Sephora was also required to implement GPC indicators to remain compliant with the CCPA.
Tech Companies on Alert
This issue doesn’t stem from the policies at play alone, it also falls on the practices that are not. Bonta’s complaint also alleges that Sephora failed to honor consumer Global Privacy Controls (GPCs). Sephora claims that their website was not structured to detect GPC signals. These GPC indicate a customer’s decision to opt-out of services such as the permission to have their data sold. Per the terms of the settlement agreement, Sephora was also required to implement GPC indicators to remain compliant with the CCPA.
Though only a cosmetic company, the decision to settle creates a precedent under the CCPA and alerts far larger tech companies that their data practices may soon be under scrutiny if they are not vigilant. The Attorney General’s office has already delivered 100 notices to companies in violation of the CCPA, giving them 30 days to manage and fix their violation before action is taken.
California is cracking down on user and consumer privacy. By defining what a sale is under the CCPA –any transaction that provides the seller with a benefit or service– other companies are beginning to review the privacy notices and policies they have in place. The CCPA becomes a divisive act that promotes the safety of consumer information, and with the California Privacy Rights Act (CPRA) coming into effect by 2023, businesses will need to crack down on their privacy practices and security policies too.
SHARE ON:
