In a significant action of interest to any business with customers in California, the state’s Attorney General announced its first enforcement action under the California Consumer Privacy Act (CCPA). The result is a fine and settlement for a multinational retailer. For businesses subject to the CCPA, important lessons can be drawn from the action to avoid facing similar discipline.

Background of Enforcement Action and Settlement

The August 24, 2022, action against the French global cosmetics chain Sephora involved allegations that Sephora violated the CCPA by failing to disclose it was selling the personal information of California consumers, failing to provide a “Do Not Sell My Personal Information” link on its website, and failing to honor global privacy control opt-out signals from web browsers to opt consumers out of the sale of their personal information. By way of settlement and entry of a final judgment, Sephora agreed to pay a $1.2-million penalty and implement a two-year monitoring and reporting program intended to demonstrate its ongoing compliance with the CCPA.  

In its complaint, the Attorney General alleged Sephora’s collection of personal information about consumers while they shopped for products online and subsequent sharing of the personal information with third-party companies for the purpose of obtaining free or discounted advertising and analytics in return constituted a “sale” under the CCPA. The Attorney General further alleged Sephora knew that it would receive discounted or higher-quality analytics and other services derived from the data about consumers’ online activities, including the option to target advertisements to customers that had merely browsed for products online. Sephora did not have valid service provider contracts in place with each third party, and, as a result, all of the transactions were alleged to be “sales” under the law.

As a seller of California consumers’ personal information, the Attorney General claimed Sephora had not met its obligations under the CCPA, including posting a “Do Not Sell My Personal Information” link on its website and providing notice to consumers that it had sold personal information in the last 12 months.  Additionally, the Attorney General alleged Sephora did not allow consumers to opt-out of the sale of their personal information by honoring opt-out requests made through a global privacy control (GPC) signal. The Attorney General asserted it notified Sephora of the violations, but that the company did not cure the violations within 30 days as allowed under the statute. The Attorney General also claimed Sephora’s conduct violated California’s Unfair Competition Law by making false or misleading statements about the sale of customers’ personal information and unfairly denying customers the ability to opt out of the sale of their personal information.

Ultimately, Sephora settled the matter and a final judgment was filed with the San Francisco Superior Court. Pursuant to the settlement and final judgment, Sephora agreed to pay a $1.2-million penalty. It also agreed to a two-year monitoring and reporting program whereby the company must monitor its compliance with the CCPA, including how it responds to opt-out requests, and submit annual reports to the Attorney General describing efforts to honor the GPC and listing third parties to whom personal information is made available.

Key Lessons Learned

The Sephora enforcement action highlights several key important takeaways for businesses working to comply with the CCPA:

• Ensure GPC signals are honored. While there remains some question as to the enforceability of the requirement to honor GPC signals, unless a company is prepared to litigate the issue, companies should ensure their websites are capable of receiving and honoring such global privacy control signals. As the Attorney General previously explained in implementing regulations, global privacy controls, such as a browser plug-ins or privacy settings, device settings, or other mechanisms that communicates a consumer’s choice to opt-out of the sale of their personal information, should be treated as a valid opt-out request under the CCPA. Businesses should review their websites’ capabilities to ensure they can recognize and honor global privacy controls by opting consumers out of the sale of their personal information accordingly.   
• Review relationships with analytics providers.  Businesses should take the time to evaluate their relationships with analytics and advertising providers to determine whether any transfers of information constitute a “sale” under the CCPA. The Sephora enforcement action demonstrates that, absent a service provider contract, sharing consumers’ personal information in exchange for free or discounted analytics and advertising will be considered a “sale” by the Attorney General under the CCPA. Where this is occurring, businesses should ensure the corresponding opt-out requirements under the CCPA are implemented, including updating privacy policies and adding a “Do Not Sell My Personal Information” link to the business’s website.
• Review service provider relationships and contracts.  If personal information is disclosed to service providers, businesses should ensure the required contractual terms are in place, including restrictions on the use of the personal information. Further, businesses should be aware that the Consumer Privacy Rights Act (CPRA), an amendment to the current CCPA that goes into effect on January 1, 2023, modifies the service provider requirements.
• Take note of the changing regulatory landscape.  In addition to the Sephora enforcement action, the Attorney General announced that additional notices had been sent to businesses alleging various failures to process consumer opt-out requests made through GPC signals. Businesses should take heed of this clear enforcement priority for the Attorney General.  Further, upon receipt of a letter from the Attorney General alleging violations under the CCPA, businesses should utilize the 30-day cure period while it lasts. The illustrative examples of prior CCPA investigations that did not become public show that the Attorney General is receptive to working with businesses to cure alleged violations. The cure period, however, will expire on January 1, 2023. In light of the expiring cure period, businesses should use this opportunity to review their CCPA policies and procedures and prepare for the upcoming changes under the CPRA.

Other Important California Privacy Law Updates

Businesses should also take note that the prior amendments to the CCPA and CPRA extending limited exemptions for employee-related (HR) and business-to-business (B2B) data that have existed under the CCPA since its inception are scheduled to sunset on January 1, 2023. Despite efforts to extend the temporary exemptions, the California legislative session ended on August 31, 2022 without any further extensions. With the sunset of the HR and B2B exemptions, businesses will be obligated to provide California personnel, job applicants and business contacts with the full array of disclosures and rights available to California consumers under the CCPA/CPRA as of January 1, 2023.

The legal privacy landscape in California continues to evolve. It is important for businesses to stay on top of the ever-changing laws and regulations, as well as resulting enforcement actions. Knowledgeable outside counsel can be of great assistance in such efforts.