California Attorney General Announces First CCPA Settlement

The CCPA includes provisions that require businesses subject to the CCPA to allow consumers to opt out of the “sale” of their personal information by the business. The definition of “sale” under the CCPA is very broad, as highlighted by the AG’s complaint against and settlement with Sephora. In the Sephora matter, the AG’s complaint describes how a business’ use of “widely-used” advertising and analytics technologies can, in the AG’s view, constitute a “sale” of information for which consumers must be given the right to opt out of, including through the GPC.

The AG’s press release and complaint details how in June 2021 the AG conducted an “enforcement sweep” of large online retailers to assess their compliance with the CCPA’s opt-out of sale requirements and their ability to process GPC. The AG alleges that, although Sephora collected and shared internet activity data with third-party advertising networks and analytics providers, Sephora’s privacy policy represented that it did not “sell” personal information and that Sephora’s website did not include a “Do Not Sell” link, nor did it recognize the GPC. The AG alleges that it sent Sephora a notice of noncompliance with the CCPA and that Sephora did not cure the noncompliance within 30 days, leading to the AG’s enforcement action and, ultimately, the settlement announced yesterday.

Pursuant to the settlement, in addition to a $1.2 million payment, Sephora was ordered to provide notice of its “sale” of personal information practices, provide a “Do Not Sell” mechanism on its website and implement the capability to process GPC signals. Sephora was also given 180 days to develop the following:

• A program to assess whether it is effectively processing consumer opt-out requests and requests submitted via GPC, including annual reports submitted to the AG for two years after the 180-day implementation period, detailing its implementation of the opt-out mechanisms and an analysis of any errors or technical problems encountered and remediated; and
• A program to conduct an annual review of its website and mobile applications to determine the entities to which it makes personal information available as well as annual reports submitted to the AG for two years after the 180-day implementation period, detailing the names of the entities to which Sephora makes personal information available, its purpose for making that information available, whether Sephora characterizes such entities as service providers and to ensure proper categorization of its service providers.

Sephora did not admit any wrongdoing in connection with the settlement.

Aside from being the first public CCPA settlement, there are several noteworthy aspects of the AG’s announcement:

• First, the timing is significant. The California Privacy Protection Agency (CPPA)—the new regulatory agency tasked with enforcing the CCPA—just closed the window for public comment to its proposed CCPA regulations, which include a controversial set of regulations related to opt-out browser signals. The AG’s focus on GPC in its complaint against Sephora is hard to see as a coincidence.
• Second, and related, the AG’s focus on GPC should be a wake-up call to companies that may have not previously focused on that requirement in the existing regulations.
• Third, the settlement should be a reminder to companies that the 30-day cure period is an opportunity to act to avoid this same outcome.
• Fourth, the inclusion of a monitorship, while not surprising, highlights what many companies will consider among the highest costs of CCPA noncompliance.

Finally, the AG’s announcement takes a clear stance on the contested debate over the meaning of “sale” under the CCPA. Like Sephora, many other companies had taken the position that the use of web advertising and analytics technologies does not amount to a “sale” under the CCPA. This issue will largely become moot when the CCPA amendments, which take effect next year, introduce a new right to opt out of “sharing” that is specifically drafted to cover targeted advertising technologies. Still, through the Sephora settlement, the AG is making clear its view that the CCPA’s “sale” provisions already cover these technologies, and that companies that do not currently provide an opt-out of targeted advertising are out of compliance with the CCPA. Companies should assess their compliance posture—and the timeline for implementing any new opt-out rights—accordingly.

QUESTIONS?

If you have questions about sale obligations under the CCPA or need any assistance with privacy program compliance, please reach out to your McDermott lawyer or contact Michael G. Morgan, David P. Saunders, Amy C. Pimentel, Elliot R. Golding or Fran P. Forte.