The California Attorney General’s office recently announced that French multinational personal care and beauty products retailer Sephora, Inc. has agreed to pay $1.2 million to resolve allegations that the company violated the California Consumer Privacy Act (CCPA), making it the first settlement under California’s landmark privacy law.

The CCPA is a first-in-the-nation law that was passed in 2018 and went into effect in 2020.  It gives Californians the right to know what information a business collects about them and shares; the right to delete personal information collected from them; the right to opt out of the sale of their personal information; and the right to not be discriminated against for exercising all the right the CCPA gives them.  Oftentimes, online retailers allow third-party companies to install tracking software to monitor a consumer’s shopping trends.

In this instance, and in an attempt to target potential customers, Sephora enabled third parties to create profiles about a consumer by tracking, among other items, the type of products placed in their online shopping cart and their precise location.  As a result, Attorney General Rob Bonta accused Sephora of: (1) failing to disclose to customers that it sells their personal information; (2) failing to process users’ requests to opt out of having their personal information sold; and (3) failing to act to correct its violations within thirty days, which is currently allowed by the CCPA.  In addition to the $1.2 million monetary penalty under the settlement, Sephora must also comply with important injunctive terms, including:

  • Clarifying its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Providing mechanisms for consumers to opt out of the sale of personal information;
  • Providing reports to the Attorney General relating to its sale of personal information.

While Sephora is not required to admit liability or wrongdoing, the settlement currently needs the approval of a state judge.  Sephora must comply with the terms of the judgment within 180 days of the effective date, and for the next two years afterward.

Sephora’s settlement underscores the rights that consumers have under the CCPA and the ongoing efforts by Attorney General Rob Bonta’s office to enforce California’s comprehensive consumer privacy law.  “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s privacy law.  My office is watching, and will hold you accountable,” said Bonta in a statement issued on August 24, 2022.

To avoid a similar exposure under the CCPA like Sephora, companies in California need to provide clear notice that a consumer’s data is being sold and make available an effective mechanism for consumers to opt out of the sale of information.  Companies lax on CCPA compliance due to the 30-day compliance window should know that the compliance window will be eliminated effective January 1, 2023.

Taft’s Privacy and Data Security attorneys will continue to monitor this and other developments as enforcement continues and the California Privacy Rights Act (CPRA) nears its effective date in January. Stay tuned to Taft Privacy and Data Security Insights or download our app for more news and information.