California Attorney General Settles with Sephora for Alleged CCPA Violations
Overview of Enforcement Initiatives
On August 24, 2022, the California Attorney General (“AG”) announced the first California Consumer Privacy Act (“CCPA”) public enforcement action: a settlement with multinational beauty retailer Sephora, Inc. (“Sephora”) for alleged CCPA violations. The same day, the AG also released a new batch of enforcement case examples and used striking language in an accompanying Press Release. There is plenty to unpack from this latest round of developments, including the AG office’s enforcement priorities, potential areas of future regulatory attention, and multiple steps for businesses to take now to strengthen their CCPA compliance program.
Sephora’s alleged violations included not providing consumers with notice of the sale of consumer personal information (“PI”) and not detecting or processing consumer requests to opt-out of sale with user-enabled global privacy controls. Sephora did not cure these alleged violations within the allotted 30-day cure period. Because Sephora did not cure, the AG initiated an investigation which led to the subsequent enforcement action. The underlying facts and key takeaways of each violation follow.
Lack of Notice Regarding Sale of Consumer PI and “Third-Party Surveillance”
AG Rob Bonta alleged in his initial complaint that Sephora did not provide notice of the sale of consumer PI that resulted from tracking software installed on Sephora’s website and mobile application that enabled Sephora’s third-party service providers to track consumers while shopping (e.g., cookies, pixels, and software development kits). The AG alleged Sephora’s third- party service providers created consumer profiles using the PI collected on Sephora’s website, and then offered benefits to Sephora based on those profiles, such as consumer analytics, free and discounted targeted advertising, and other, similar services. The AG asserted that Sephora’s third-party service providers retained this consumer PI and used it for the benefit of other businesses. The AG alleged that these practices occurred without consumer notice or consent.
The AG found this exchange of PI for benefits falls under the CCPA’s broad definition of “sale,” triggering various obligations that Sephora allegedly did not meet (e.g., failure to allow consumer opt-out of sale of PI by providing a prominent “Do Not Sell My Personal Information” link). While the AG noted this type of exchange is not a “sale” if carried out pursuant to a valid service provider contract, he alleged that Sephora did not have such contracts in place with each third-party service provider involved.
The AG emphasized the broader consequences of “third-party surveillance” in this case. The AG found that Sephora’s violations deprived consumers of the ability to limit the proliferation of their PI on the internet by utilizing third-party tracking technology without providing notice or an opportunity to opt-out. Furthermore, because Sephora offers products like prenatal vitamins, the AG made special note that third parties could use such data points to draw conclusions about women’s health conditions. The AG did not elaborate on this point aside from suggesting that collecting data to draw such conclusions “can go beyond normal consumer profiling.”
No Response to Consumer Opt-Out Requests with User-Enabled Global Privacy Controls
The AG further alleged Sephora did not detect or process consumer requests to opt-out of sale with user-enabled global privacy controls. In June 2021, the AG began conducting an enforcement sweep of major retailers to assess whether consumers’ opt-outs of sale of PI was effective when signaled using the Global Privacy Control (“GPC”). The GPC is a specific global privacy control that enables consumers to send signals about their privacy preferences, such as requests to opt-out of sale. It is an independently developed global privacy control that allows for consumers to send signals about their privacy preferences to each website they visit with one click, effectively a “universal opt-out.” The AG repeatedly highlighted the GPC and this universal opt-out feature in Sephora’s Settlement and in other guidance. The AG utilized the GPC to conduct an enforcement sweep and determined that Sephora “completely ignored” GPC “do not sell” signals.
Results of Settlement
The settlement requires Sephora to pay a $1.2 million fine. But the outcome of this set of alleged violations goes beyond hefty fines. Sephora also must comply with a set of compliance and reporting requirements for the next 2 years, including:
- Compliance with the CCPA provisions Sephora violated and the corresponding CPRA provisions that amend the CCPA once operative on 1/1/2023.
- Requirement to process consumer requests to opt out of sale of PI that are signaled via the GPC.
- Requirement to implement and maintain a program to assess and monitor how effectively Sephora processes requests to opt-out of sale of PI, including requests signaled via user-enabled global privacy controls like the GPC. The assessment results must be documented in an annual report and shared with the AG.
- Requirement to conduct an annual review of Sephora’s website and mobile applications, to determine the entities to which it makes PI available to. The review results must be documented in an annual report and shared with the AG which includes:
- All entities Sephora deems “Service Providers” to ensure valid contracts entered into with such Service Providers.
- Restricted data processing practices (pursuant to any Service Provider contracts).
- Relationships with entities not deemed “Service Providers” to ensure valid contracts are in place to protect consumers’ right to opt out or that Sephora does not share PI with such entities.
Key Takeaways from Sephora Enforcement Action
- The GPC and the right to opt-out of sale remain top enforcement priorities for the AG. Making opting-out easy and straightforward is a focus for the AG. The AG has repeatedly endorsed consumer-facing tools such as the Consumer Privacy Tool and the GPC. It is now clear that detecting and processing opt-out requests via user-enabled global privacy controls generally is a requirement. In the CCPA FAQ, the AG’s office indicates that businesses must honor signals opt-out of sale of PI from the GPC as valid consumer requests.
- The CCPA and the Attorney General define the term “sale” broadly. Using the term “sale” broadly to describe Sephora’s activities (i.e., making data available in exchange for services) may seem counterintuitive. However, the Sephora action illustrates that the term is being interpreted in a way that casts a wide net, encompassing a greater proportion of the data flows between businesses and the third parties.
- The Attorney General is concerned about processing of PI that may permit inferences about “women’s health conditions.” It remains unclear how this type of PI will be handled going forward, but businesses should nonetheless review collection and processing practices for the presence of PI that could indicate women’s health conditions and consider handling it with a higher degree of care than other PI.
An Ongoing Enforcement Sweep Focused on Businesses Operating Loyalty Programs
The enforcement action against Sephora was a shot across the bow for businesses, one that demonstrated the strategy driving the ongoing enforcement sweep. The AG’s Office is reviewing businesses that provide loyalty programs to determine if the supply consumers with compliant Notices of Financial Incentives. Alongside the Sephora settlement, AG Bonta announced his office sent notices to several businesses alleging noncompliance with processing opt-out requests with user-enabled global privacy controls like the GPC.
The AG also issued a set of thirteen new enforcement case examples, over half of which featured noncompliant opt-out processes. Three of the new examples refer specifically to a lack of response to the GPC, such as the Global Privacy Control requests. This appears to clarify the AG’s heightened focus on an ostensibly easier opt-out method like the GPC. Other apparent areas of focus for the AG’s office include:
- Insufficient and/or deficient privacy policies (e.g., unclear language);
- Not providing notice at collection;
- Not providing or providing an insufficient notice of consumer rights processes; and
- Improper verification processes.
Key Takeaways for Businesses
- GPC is a central focus for the AG. It is no coincidence that noncompliant opt-out processes dominate the most recent batch of enforcement case examples. Businesses should confirm they have implemented technology permitting them to honor opt-out requests submitted via the GPC. Likewise, businesses should review the effectiveness of any other methods for submitting opt-out requests. Be on the lookout for a future blog post taking a closer look at the GPC.
- Use the Sephora Settlement to Review Existing CCPA Compliance Programs. The Sephora settlement provides a useful model for businesses to assess whether their current data sharing practices are likely to be viewed as sales of PI and adjust their contracts and practices, as appropriate. Businesses should make a list of the entities to which PI is currently made available, determine what category such entities should fall under (e.g., Service Providers), and assess how those entities utilize PI. Then, businesses should confirm necessary Service Provider contracts are executed and amended as necessary. Businesses should pay special attention to any contracts that require businesses to restrict data processing as specified in the contract and confirm the deployment of those restrictions.
- The halcyon days of CCPA enforcement are ending. AG Bonta used uncompromising language to put businesses on notice that the 30-day cure period will expire on January 1, 2023. The stern warning signals a new, far less lenient era in CCPA enforcement is fast approaching: “My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by customers, and process opt-out requests made via user-enabled global privacy controls.”
By: Will Kenney and Maddie Level