On August 24, 2022, the multinational beauty retailer Sephora reached a settlement with the California Attorney General’s Office regarding alleged violations of the California Consumer Privacy Act (CCPA). The settlement showcases the significance of privacy compliance and provides valuable lessons for businesses navigating the evolving landscape of data protection. On the one-year anniversary of the settlement, let’s take a look back at what exactly happened and what it means for businesses now.

A Bird’s-Eye View of the Sephora CCPA Lawsuit

The California Attorney General alleged that Sephora violated the CCPA by failing to:

• Inform customers that the company sold their personal information
• Process opt-out requests from users who wanted their data to remain private
• Fix either of these violations within the CCPA’s 30-day grace period

The complaint also alleged that Sephora misled customers to believe they had successfully opted out even as the website continued to process their data as if nothing had happened. Additionally, the complaint alleged that Sephora provided customer data to third parties in exchange for higher-quality customer analytics or discounted services. The extent of Sephora’s alleged data collection meant that even if a user had searched for a product online without ever making a purchase, the user could still receive targeted ads based on that simple activity.

Sephora agreed to pay $1.2 million in penalties and abide by specific injunctive measures outlined in the settlement. These measures included:

• Enhanced disclosures: Sephora must clarify its online disclosures and privacy policy to explicitly state that it sells consumers’ personal information.
• Opt-out mechanisms: The company is required to provide consumers with accessible mechanisms to opt out of the sale of their personal information. This includes incorporating the Global Privacy Control (GPC), a third-party tool enabling users to signal their preference to opt out automatically.
• Service provider compliance: Sephora must align its service provider agreements with the CCPA’s requirements, ensuring that the third parties it collaborates with handle personal information appropriately.
• Reporting obligations: The company must provide regular reports to the Attorney General detailing its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.

Key Insights from the Sephora CCPA Settlement

With the benefit of hindsight, we can see where Sephora went wrong and how the settlement addressed the alleged CCPA violations. But what does all this mean for companies now?

With Sephora’s settlement as a lesson, businesses can gather a few critical insights. The lawsuit emphasizes the importance of:

• Defining “sale of personal information” clearly: The settlement clarifies that the “sale” of personal information encompasses exchanging consumers’ data with third parties in exchange for analytic services, placing third-party advertising cookies, or utilizing other data collection technologies. This interpretation aligns with the California Privacy Rights Act (CPRA), a set of amendments to the CCPA, which expand the definition of “sale” or “share” of information.
• Honoring opt-out requests: The enforcement action emphasizes the importance of complying with consumer requests to opt out of the sale of their personal information. This especially applies when a user takes advantage of mechanisms like the aforementioned Global Privacy Control. Businesses must establish clear procedures to process opt-out requests effectively and recognize signals triggered by GPC.
• Closely examining consumer data treatment: The Sephora case demonstrates the overall increased scrutiny surrounding the handling of consumer data. Companies must prioritize transparency, consent, cookie options, and maintaining up-to-date privacy policies.

To ensure compliance with California’s privacy laws, businesses should consider the following steps:

• Assess data use: Evaluate whether your use of cookies or other technologies may be considered a “sale” or “sharing” of personal information for targeted advertising, analytics, or other value exchanges.
• Transparent privacy policies: Review and update privacy policies to provide transparent information about the collection, processing, sale, and sharing of personal information. If you sell personal information, be honest about it.
• Opt-out mechanisms: Implement opt-out mechanisms, such as a “Do Not Sell My Personal Information” link on your website. Develop methods to process opt-out requests, including recognizing Global Privacy Control signals triggered by users’ browsers.
• Keep up with privacy laws: Familiarize yourself with your obligations under the privacy laws you may be subject to. The CCPA/CPRA is just one of many.

Learning from Sephora’s CCPA Mistake

The settlement between Sephora and the California Attorney General’s Office serves as a reminder for businesses to prioritize privacy compliance. Adhering to transparency, consumer consent, and opt-out mechanisms is crucial in meeting the expectations set by privacy laws. By staying informed and proactive, businesses can navigate the ever-evolving landscape of data protection effectively and build trust with their customers.

Don’t make the same mistakes Sephora did. Contact us today for a free demo of our state-of-the-art privacy compliance software, 4Comply.