On August 24, 2022, the California Attorney General (AG) announced a first-of-its-kind settlement with Sephora, Inc. (Sephora) over Sephora’s alleged violation of the California Consumer Privacy Act (CCPA). The settlement imposed a $1.2 million fine and injunctive measures—as well as a two-year monitorship—to ensure Sephora’s compliance with certain parts of the CCPA related to consumer opt-outs from the sale of information, including through recognition of the Global Privacy Control (GPC).
The CCPA includes provisions that require businesses subject to the CCPA to allow consumers to opt out of the “sale” of their personal information by the business. The definition of “sale” under the CCPA is very broad, as highlighted by the AG’s complaint against and settlement with Sephora. In the Sephora matter, the AG’s complaint describes how a business’ use of “widely-used” advertising and analytics technologies can, in the AG’s view, constitute a “sale” of information for which consumers must be given the right to opt out of, including through the GPC.
Pursuant to the settlement, in addition to a $1.2 million payment, Sephora was ordered to provide notice of its “sale” of personal information practices, provide a “Do Not Sell” mechanism on its website and implement the capability to process GPC signals. Sephora was also given 180 days to develop the following:
A program to assess whether it is effectively processing consumer opt-out requests and requests submitted via GPC, including annual reports submitted to the AG for two years after the 180-day implementation period, detailing its implementation of the opt-out mechanisms and an analysis of any errors or technical problems encountered and remediated; and
A program to conduct an annual review of its website and mobile applications to determine the entities to which it makes personal information available as well as annual reports submitted to the AG for two years after the 180-day implementation period, detailing the names of the entities to which Sephora makes personal information available, its purpose for making that information available, whether Sephora characterizes such entities as service providers and to ensure proper categorization of its service providers.
Sephora did not admit any wrongdoing in connection with the settlement.
Aside from being the first public CCPA settlement, there are several noteworthy aspects of the AG’s announcement:
First, the timing is significant. The California Privacy Protection Agency (CPPA)—the new regulatory agency tasked with enforcing the CCPA—just closed the window for public comment to its proposed CCPA regulations, which include a controversial set of regulations related to opt-out browser signals. The AG’s focus on GPC in its complaint against Sephora is hard to see as a coincidence.
Second, and related, the AG’s focus on GPC should be a wake-up call to companies that may have not previously focused on that requirement in the existing regulations.
Third, the settlement should be a reminder to companies that the 30-day cure period is an opportunity to act to avoid this same outcome.
Fourth, the inclusion of a monitorship, while not surprising, highlights what many companies will consider among the highest costs of CCPA noncompliance.
Finally, the AG’s announcement takes a clear stance on the contested debate over the meaning of “sale” under the CCPA. Like Sephora, many other companies had taken the position that the use of web advertising and analytics technologies does not amount to a “sale” under the CCPA. This issue will largely become moot when the CCPA amendments, which take effect next year, introduce a new right to opt out of “sharing” that is specifically drafted to cover targeted advertising technologies. Still, through the Sephora settlement, the AG is making clear its view that the CCPA’s “sale” provisions already cover these technologies, and that companies that do not currently provide an opt-out of targeted advertising are out of compliance with the CCPA. Companies should assess their compliance posture—and the timeline for implementing any new opt-out rights—accordingly.