Sephora Pays $1.2M for Failing to Comply With CCPA

After failing to comply with the California Consumer Privacy Act (CCPA), Sephora, Inc., a beauty product retailer, settled with the office of the California Attorney General for $1.2 million.

The settlement stems specifically from Sephora’s failure to:

1. Notify consumers of how Sephora handles personal data.
2. Offer consumers a means of opting out.
3. Honor consumers’ opt-out requests.

The company allowed third-party firms to create profiles about consumers by tracking things like consumer devices, the products that consumers added to their shopping carts, as well as the exact locations of consumers. Sephora benefits from these relationships because it gains information that helps it more effectively target potential customers.

As Sephora's arrangement with these third parties constituted a sale of consumer information under the CCPA, it triggered basic obligations on the part of Sephora, including

• Informing consumers that Sephora was selling their information.
• Allowing consumers to opt-out of the sale of their information.

Despite receiving a 30-day right-to-cure notice from the Attorney General’s office to correct the CCPA infractions, Sephora failed to remedy the issues which resulted in the fine. It’s clear that businesses must honor Global Privacy Control (GPC) signals from consumers. Their websites have to be capable of receiving and honoring consumers’ right to privacy requests.

This enforcement action confirms that the Attorney General’s office is actively searching for violators of the CCPA. As part of its ongoing efforts to enforce CCPA, the AG’s office has notified a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC.

Sephora must now:

1. Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data.
2. Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control.
3. Conform its service provider agreements to the CCPA’s requirements.
4. Provide reports to the California Attorney General’s office relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.

Business leaders should note that the 30-day right to cure notice expires on January 1, 2023, for any violation other than breach.

They should also consider that CCPA included a loophole that only enabled consumers to opt-out of the selling of their personal data, but not the sharing of their data for certain uses. Technology and advertising firms took advantage of this loophole to continue collecting consumer data.

The California Privacy Rights Act (CPRA) closes this loophole and clarifies that organizations must allow consumers to opt-out if their data is sold to or shared with third parties providing targeted advertising services.

Satisfying the CCPA

To cost-effectively ensure that you are complying with CCPA and CPRA, you will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.

Business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.

To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with the latest changes to data privacy laws across the U.S.

Get started with PrivacyCare for help with your data privacy compliance.

‍