Sephora Gets a [Privacy Policy] Makeover

First public enforcement action for California Consumer Privacy Act (“CCPA”) violations may cause Sephora to makeover its data collection policies.

California’s Attorney General announced a settlement with Sephora, Inc. (Sephora), the giant cosmetics and beauty product retailer.  Sephora allegedly failed to provide its customers with adequate notice of the sale of their personal information, didn’t provide a “Do Not Sell” link (as required under the CCPA), and didn’t provide methods.  Further, they did not fix the issues within the thirty (30) day cure period under the CCPA.

Under the CCPA if a company collects personal data through cookies or third-party pixels, and that data is shared with another party, it’s either one of two things:

The company collecting the data, in this case Sephora, has to have a contract in place with the party to whom the data is transferred (defining the parties under the CCPA as a Business and Service Provider)  

OR

The transfer of data to a third party counts as a sale which would then trigger other obligations under CCPA including notifying consumers of the sale of data, providing a link to a “Do Not Sell My Personal Information and providing at least two methods of opting out of the sale of data (and processing those requests) – among others.

In this case Sephora did neither. In fact, its policies specifically stated that Sephora did not sell personal information therefore requiring Sephora to have Service Provider agreements in place, which it did not. Without the agreements in place, Sephora’s use of the data constituted a sale triggering the other obligations under CCPA, which again, Sephora failed to meet.

In addition to paying $1.2 Million Sephora must:

·        Provide the proper online disclosures and update its privacy policy to state that it sells data;

·        Include the opt out mechanisms

·        Establish compliant service provider agreements in accordance to CCPA

·        Provide reports to the AG regarding the status of the above requirements and compliance with GPC signals.*

Of note in this case is the mention Global Privacy signals*. GPC signal is a browser setting that notifies websites of a user’s privacy preferences, such as not to share or sell personal data without permission.  Additionally, while CCPA does not specifically mention GPC signals, the California Privacy Rights Act, effective 2023, does in fact state that this case does in fact point to “opt out preference signals” as a viable option for consumers to communicate “Do Not Sell” preferences to businesses.

Why this Matters:  First and foremost, it matters because now we know California means business when it comes to enforcement of CCPA policies. Second, CPRA is going to not only supersede this law but expand on the obligations (and presumably penalties) for businesses under its purview so now is the time to examine privacy policies and back end procedures, and to update service provider agreements.