Sephora Puts CCPA to the Test

Data Privacy

Sephora received no California Love when it failed an enforcement sweep of online retailers conducted by Attorney General Rob Bonta last winter. On August 24th, AG Bonta announced a settlement with the beauty company of $1.2 million for its violation of the California Consumer Privacy Act (CCPA).

In addition to the monetary fine, Sephora will also have to:

  1. Affirmatively tell consumers that it “sells” data
  2. Conform its service provider agreements to the CCPA’s requirements
  3. Provide opt-out of sale mechanisms in addition to honoring Global Privacy Controls
  4. Regularly report to the AG regarding its sale of Personal Information, the status of its service provider relationships and its efforts to honor GPC.

“Sale” Definition Expands

The complaint against Sephora found that Sephora violated the CCPA by “selling” personal information of California consumers without properly notifying them or giving them the appropriate opportunity to opt-out. While Sephora didn’t get a direct financial payment from third parties that had access to consumer information – such as location data and what items they placed in their online shopping cart – the complaint suggests that Sephora received “other benefits” in violation of the CCPA definition of sale.

Per this Settlement, the AG’s office defines “sale” as where the business discloses or makes available Consumer’s personal information to third parties through the use of online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies, in exchange for monetary or other valuable consideration, including, but not limited to: (1) personal information or other information such as analytics; or (2) free or discounted services. In this case, Sephora received the opportunity to purchase online ads targeting consumers from third parties. The company then frequently kept the data and used it “for the benefit of other businesses, without the knowledge or consent of the consumer.” Sephora pushed back on this broad definition (note: taking this Settlement means that it is NOT admitting wrongdoing on its part.)

While the AG’s interpretation in this settlement is clear, there seems to be some overlap with the definition of do not share in the California Privacy Rights Act (CPRA). The definition of sharing is the disclosure of personal information to a third party for cross-contextual behavioral advertising. Cross-contextual behavioral advertising is when a consumer is profiled and targeted based on personal information gained from his/her activity across various businesses, websites, applications, etc. – and cross-contextual behavioral advertising does NOT need to include any monetary consideration.

Universal Opt Outs and Global Privacy Control (GPC)

GPC is a technical specification for transmitting opt-out signals. Sometimes referred to as a “universal opt-out mechanism,” users download a browser or extension that supports the signal and can then turn it on for all websites or individual websites. When that user visits a website supporting GPC, the website will automatically register the user browser’s request to Not Sell Personal Info. A few browsers (Brave and DuckDuckGo) as well as publishers (NYTimes and Washington Post) have publicly declared support for GPC. While GPC is currently tailored to the CCPA, the creators of GPC believe it could be relevant for other privacy regulatory purposes in the future as that a “GPC signal opting out of processing could create a legally binding obligation for data processors.”

In addition to having the required “Do Not Sell My Personal Information” link, the California regulator expects that all businesses operating in California will additionally honor the GPC request. AG Bonta also stated that, “technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer’s data and ignore requests to opt-out of its sale.”

The Future for California Businesses

The settlement is a signal that the AG is planning to become more aggressive in pursuing actions against companies that fail to comply with the law. Bonta told reporters that “Today isn’t only about Sephora. Today’s settlement sends a strong message to businesses about the California DOJ’s ongoing efforts to enforce the CCPA.”

Along with the settlement, AG Bonta also sent notices to a number of businesses alleging non-compliance with failure to process consumer opt-out requests made via the GPC. The CCPA’s notice and cure provision, which requires businesses to receive notice and opportunity to cure before they can be held accountable for CCPA violations, will expire on January 1, 2023.

The AG’s office also published an annual update to CCPA examples of non-compliance, which included Sephora as a use case in addition to missing “Do Not Sell My Personal Information” links, erroneous treatments of consumer rights requests, non-compliant privacy policies and missing disclosure notices and non-compliant financial incentive notices for loyalty programs.

And Across the Pond…

While the AG settlement is the first major enforcement action under the CCPA, it is not the first legal action brought against Sephora in 2022. Sephora also faced legal troubles earlier this year when France’s data protection agency, CNIL, declared its use of Google Analytics and Facebook Connect integrations illegal.

These combined enforcement actions against Sephora this year should motivate businesses to fully comply with new and growing regulations.

How Bigid Can Help Prepare for Enforcement of CCPA

As the California AG raises the bar on enforcement, it’s now more than necessary to set regulatory standards for your privacy program. .
Here is how BigID can prepare your organization for CCPA & the updated CPRA compliance:

  • Data Discovery & Audits: The CCPA regulates personal information, including direct and inferred identifiers. BigID helps build an automated data inventory to discover, map and classify CCPA-impacted data to prepare for potential regulatory audits.
  • Data Mapping: Simplify CCPA compliance by mapping your data assets and automating your data inventory across the business. BigID helps to understand data sharing flows with third parties and service providers with summary reporting of 3rd party data sharing and processing opt-outs of data.
  • Data Rights Management: To fulfill the privacy rights of all California residents, BigID provides organizations with a public-facing self-service privacy portal to complete an end-to-end consumer rights process from the “right to know” your data to the “right to delete” your data. BigID also allows the honoring of CCPA opt-out requests, especially regarding the “sale” of data.
  • Cookie Consent & Preferences: It’s time to get serious about cookie consent and preferences, as easy-to-use consumer consent is highlighted in this settlement. BigID provides end-to-end cookie consent and privacy preference management to automatically capture and manage consent/preferences that will help build trust with your consumers and avoid fines from the AG’s office.

Are the expectations of managing CCPA (and soon to be CPRA) compliance challenging at your organization? See how BigID enables companies to automate their entire data privacy program, achieve compliance, and stay ahead of the California AG.