On August 24, 2022, California Attorney General Rob Bonta announced an agreement with Sephora, Inc. which included a $1.2 million fine for alleged violations of the California Consumer Privacy Act (CCPA). The settlement is likely the first of many enforcement actions stemming from the Attorney General’s enforcement campaign against online retailers and other businesses for potential CCPA violations, which began in June 2021. So that other investigations have focused on failure to disclose financial loyalty incentive programs, privacy disclosures that are not understandable to the average consumer and do not include required information, and “Do Not Sell” links my personal information” which only worked on certain Internet browsers, the enforcement action against Sephora is particularly significant for many website operators because it was based on the allegation that Sephora failed to disclose the sale of personal information or provided a “Do Not Sell My Personal Information” link due to the use of analytics cookies and advertising on its website.
The Attorney General complaint alleges that Sephora’s website collects personal information (as defined in the CCPA) such as the products consumers view and purchase, geolocation data, cookies and other unique identifiers, and information about information systems. operation and types of consumer browsing. It further alleges that Sephora makes such personal information available to third parties to receive advertising and analytics services through the installation or use of trackers such as cookies, clear gifs and other technologies that transmit automatically personal information.
The complaint states that while Sephora’s privacy notice accurately disclosed that it shared geolocation and other electronic network information with third parties such as ad networks, business partners and analytics providers data, such disclosure in exchange for services from such entities constituted a “sale” under the CCPA. The CCPA defines a “sale” of personal information to include disclosure for monetary or other valuable consideration. The complaint alleges that the Sephora’s use and transmission of personal information constituted a “sale” under the CCPA because the disclosure was made in exchange for free, discounted, or premium advertising or analytics services from its third-party providers.
Having concluded that Sephora engaged in a “sale” of personal information as defined in the CCPA, the Complaint further alleges that Sephora failed to disclose this sale in its Privacy Notice and instead asserted that it had not sold any personal information. In addition, the complaint alleges that Sephora failed to offer a “Do Not Sell My Personal Information” link or comply with a browser opt-out signal (specifically the Global Privacy Signal or GPC). While the complaint claims that the Attorney General notified Sephora on June 25, 2021 of the potential violations, Sephora failed to remedy the website deficiencies within the 30-day period required under the CCPA. Due to Sephora’s alleged failure to remedy the deficiencies, the Attorney General’s complaint alleged violations not only of the CCPA, but also of California’s unfair and deceptive practices law, California Business and Professions Code § 17200, et seq., for allegedly unfairly depriving consumers of their right to opt out of the sale of personal information.
Under the settlement, Sephora is required to pay (to the Consumer Privacy Fund) a $1.2 million fine. In addition, Sephora must:
- Update its privacy notice to clearly state that it sells personal information and that consumers have the right to opt out of those sales. Sephora must also update its privacy notice to comply with the California Privacy Rights Act (CPRA) regarding “selling” or “sharing” when it becomes effective.
- Process opt-out requests for the sale of personal information, including through the use of the GPC.
- Implement and maintain a program to assess, test, monitor and report to the Attorney General on its activities related to the sale of personal information, disclosures to service providers and other third parties, and compliance with the T&Cs. These must generally be implemented within 180 days of the effective date of settlement and must continue for 2 years.
- Ensure that its disclosure to “service providers” is in accordance with agreements that meet the contractual requirements described in the CCPA and implement any “restricted data processing” configurations that may be necessary to adopt such contractual requirements with certain third parties (such as Google and Facebook).
The regulation is important because it clearly states that the use of analytics, advertising cookies and other automatic data collection technologies is a “sale” under the CCPA and will be considered a “sale” or “sharing”. ” under the next CPRA. The regulations also make it clear that while the GPC is not widely adopted and there may be other signals sent by browsers in the future, the Attorney General considers compliance with the GPC to be mandatory. if sent.
The enforcement action and settlement should also end any belief that the Attorney General is less than robust in its enforcement of the CCPA, and instead state that the Attorney General has been and continues to actively enforce the CCPA. The inclusion of allegations that Sephora violated California Business and Professions Code § 17200, et seq., also suggests that the Attorney General is prepared to allege all potential causes of action beyond the CCPA itself in order to enforce compliance.
In light of this regulation and other enforcement actions disclosed by the Attorney General, businesses that are subject to the CCPA (and the upcoming CPRA) should immediately review their CCPA compliance to minimize the risk of be the potential target of other enforcement actions, including:
- Review the use of any cookies or other similar technologies for analytics, advertising and other similar services that may be a “sale” under the CCPA.
- Ensure that privacy notices properly disclose any potential “sales” of personal information and the method consumers can use to opt out of such sales – in particular, including disclosing the use of personal information for advertising analysis, etc.
- Ensure that privacy notices properly disclose all activities (including loyalty programs) that may be considered a “financial inducement” and provide all required information about the financial inducement, including how the value personal information is determined and how someone can enroll or opt-out of the financial incentive program.
- Review agreements with third parties to ensure that all CCPA required terms and conditions are included and consider such disclosure a “sale” of personal information subject to the right to opt out of such sales.
- Implement a “Do Not Sell My Personal Information” link if any disclosure of personal information to third parties may be considered a “sale” under the CCPA.
- Ensure that the website recognizes and correctly handles any GPC or other similar privacy control signal sent by a browser.
- Review privacy notices to ensure they are clear and understandable to the average consumer. Businesses may wish to avoid “one size fits all” privacy notices for products and services that can confuse consumers in favor of personalized privacy notices for each product and service. Companies should also be diligent about investigating any claims that information is not being sold.
Companies should also be on the lookout for notices from the California Attorney General alleging CCPA violations. The attorney general’s announcement said he had sent notices to other companies alleging non-compliance with takedown requests made by global privacy controls. Under the CCPA, companies have 30 days to remedy such violations. The Sephora settlement suggests that companies that receive such notices should take immediate action to remedy any alleged deficiencies and that the Attorney General is willing to take legal action against companies that do not take steps to comply.
Businesses should also be aware of changes to their handling of personal information required under the California Privacy Rights Act, which takes effect January 1, 2023. This may include complying with consumer requests to exercise their additional rights by privacy, such as the right to limit the use of sensitive personal information or the right to correct their personal information. Businesses should also be reminded that the employment information and business-to-business information exceptions will expire on January 1, 2023, unless one of the many pending bills is passed by August 31, 2022. – which seems unlikely. If these provisions expire, the full scope of the CPRA will apply to both employer and business-to-business information. For more information on additional requirements under the CPRA, please see our discussion of this upcoming law at California Voters Pass the California Privacy Rights Act.
Finally, with greater enforcement by the Attorney General and the upcoming implementation of the CPRA in January 2023, there is an increased risk of civil lawsuits against businesses if they fail to comply with both the CCPA and the CCPA. CPR. Thus, diligent review of business practices regarding privacy notices, privacy policies and use of consumer information is essential to limit any potential exposure under CCPA, CPRA or Business and Professionals Code 17200, and following.
For further information on upcoming CCPA or CPRA compliance, please contact any of the authors or any partner or senior counsel on Foley’s Cybersecurity and Data Privacy team.