By: Madeleine V. Findley and Effiong K. Dampha

On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora Inc. (Sephora), the first public enforcement action under the California Consumer Privacy Act (CCPA).^[1] The settlement resolved allegations that Sephora failed to disclose it was selling consumers’ personal information, failed to honor opt-out requests from user-enabled global privacy controls, and failed to cure these violations within 30 days, as required by CCPA. The settlement is part of “an enforcement sweep” of online retailers and their use of third-party tracking software on websites and mobile apps. The Attorney General simultaneously announced a new “investigative sweep” focused on whether businesses are complying with opt-out requests from user-enabled global privacy controls. Attorney General Bonta underscored his commitment to “robust enforcement” of California’s privacy law, stating “My office is watching, and we will hold you accountable.”^[2] 

Sephora Settlement for Failure to Disclose Third-Party Tracking and Honor Opt-Out Requests

According to the Attorney General, Sephora allowed third-party companies to install cookies and other tracking software on its website and in its app that collected data about consumers, including the type of device a consumer used, the brand of cosmetic product the consumer placed in the shopping cart, and the consumer’s precise location. The Attorney General found this data sharing to be a sale of consumer information, and that Sephora had failed to notify consumers of the sale and offer an opt-out or to honor opt-out requests via global privacy controls.

The settlement required Sephora to pay $1.2 million in penalties and to: 

1. clarify its online disclosures and privacy policy to state that it sells data, 
2. provide opt out mechanisms, including via the Global Privacy Control, and
3. conform its service provider agreements to the CCPA’s requirements. 
   

The agreement also required Sephora to provide status reports to the Attorney General on its progress on each of these obligations.^[3] 

Notices of Non-Compliance with Global Privacy Controls

The Attorney General also announced a “new investigative sweep” focused on compliance with global privacy controls. As part of this “sweep,” the Attorney General sent notices of non-compliance on August 24 to over a dozen businesses relating to their alleged failure to process consumer opt-out requests made through user-enabled global privacy controls, such as the GPC. After quietly adding an FAQ about the GPC to the AG’s CCPA webpage in 2021 that the GPC “must be honored” as a request to opt out of the sale of personal information, the AG’s actions signal an increasingly aggressive enforcement approach. Businesses that receive a notice will have 30 days to cure their noncompliance—but this right to cure will expire when the California Privacy Rights Act becomes effective on January 1, 2023. The new round of notices makes clear that the Attorney General’s expectation that businesses will honor user-enabled global privacy controls.

Additional Case Examples

The Attorney General also updated the CCPA Enforcement Case Examples webpage for the first time since July 2021 with 13 new case summaries. These include failure to honor consumer opt out requests, failure to appropriately disclose financial incentives in loyalty programs, flaws in responding to consumer requests to access or delete personal information, and non-compliant privacy policies. The businesses involved ranged from telehealth providers to fintech to fitness chains.

In a press statement, Attorney General Bonta emphasized his view that the Sephora settlement would “send a strong message to businesses,” and noted “there are no more excuses” for not complying with CCPA. The settlement, case examples, and new round of notices reflect an increasingly robust focus on enforcing California privacy law, and pose additional compliance challenges as businesses prepare for the California Privacy Rights Act to take effect in 2023.

[1] Press Release, Cal. Dept. of Justice, Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement (AG Bonta Press Release)
[2] AG Bonta Press Release
[3] AG Bonta Press Release; California v. Sephora, Inc., Case No. CGC-22-601380 (Cal. Sup. Ct. Aug. 24, 2022), available at https://oag.ca.gov/system/files/attachments/press-docs/Filed Judgment.pdf