Privacy & Data Security Feed

California Attorney General Sends “Strong Message” in Fining Sephora $1.2 Million for CCPA Violations and Announces “New Investigative Sweep”

By: Madeleine V. Findley and Effiong K. Dampha

On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora Inc. (Sephora), the first public enforcement action under the California Consumer Privacy Act (CCPA).[1] The settlement resolved allegations that Sephora failed to disclose it was selling consumers’ personal information, failed to honor opt-out requests from user-enabled global privacy controls, and failed to cure these violations within 30 days, as required by CCPA. The settlement is part of “an enforcement sweep” of online retailers and their use of third-party tracking software on websites and mobile apps. The Attorney General simultaneously announced a new “investigative sweep” focused on whether businesses are complying with opt-out requests from user-enabled global privacy controls. Attorney General Bonta underscored his commitment to “robust enforcement” of California’s privacy law, stating “My office is watching, and we will hold you accountable.”[2] 

Sephora Settlement for Failure to Disclose Third-Party Tracking and Honor Opt-Out Requests

According to the Attorney General, Sephora allowed third-party companies to install cookies and other tracking software on its website and in its app that collected data about consumers, including the type of device a consumer used, the brand of cosmetic product the consumer placed in the shopping cart, and the consumer’s precise location. The Attorney General found this data sharing to be a sale of consumer information, and that Sephora had failed to notify consumers of the sale and offer an opt-out or to honor opt-out requests via global privacy controls.

The settlement required Sephora to pay $1.2 million in penalties and to: 

  1. clarify its online disclosures and privacy policy to state that it sells data, 
  2. provide opt out mechanisms, including via the Global Privacy Control, and
  3. conform its service provider agreements to the CCPA’s requirements. 

The agreement also required Sephora to provide status reports to the Attorney General on its progress on each of these obligations.[3] 

Notices of Non-Compliance with Global Privacy Controls

The Attorney General also announced a “new investigative sweep” focused on compliance with global privacy controls. As part of this “sweep,” the Attorney General sent notices of non-compliance on August 24 to over a dozen businesses relating to their alleged failure to process consumer opt-out requests made through user-enabled global privacy controls, such as the GPC. After quietly adding an FAQ about the GPC to the AG’s CCPA webpage in 2021 that the GPC “must be honored” as a request to opt out of the sale of personal information, the AG’s actions signal an increasingly aggressive enforcement approach. Businesses that receive a notice will have 30 days to cure their noncompliance—but this right to cure will expire when the California Privacy Rights Act becomes effective on January 1, 2023. The new round of notices makes clear that the Attorney General’s expectation that businesses will honor user-enabled global privacy controls.

Additional Case Examples

The Attorney General also updated the CCPA Enforcement Case Examples webpage for the first time since July 2021 with 13 new case summaries. These include failure to honor consumer opt out requests, failure to appropriately disclose financial incentives in loyalty programs, flaws in responding to consumer requests to access or delete personal information, and non-compliant privacy policies. The businesses involved ranged from telehealth providers to fintech to fitness chains.

In a press statement, Attorney General Bonta emphasized his view that the Sephora settlement would “send a strong message to businesses,” and noted “there are no more excuses” for not complying with CCPA. The settlement, case examples, and new round of notices reflect an increasingly robust focus on enforcing California privacy law, and pose additional compliance challenges as businesses prepare for the California Privacy Rights Act to take effect in 2023.

[1] Press Release, Cal. Dept. of Justice, Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), (AG Bonta Press Release)
[2] AG Bonta Press Release
[3] AG Bonta Press Release; California v. Sephora, Inc., Case No. CGC-22-601380 (Cal. Sup. Ct. Aug. 24, 2022), available at Judgment.pdf

Changes to California Consumer Law Protections on January 1, 2022

Griffith_Wesley_COLOR Conwisar_Jena_COLOR



By: Wesley M. Griffith and Jenna L. Conwisar

Effective January 1, 2022, California implemented several important changes to its consumer protection laws, ranging from data privacy to debt collection to updates to the Consumer Legal Remedies Act. This post highlights several notable changes that companies and practitioners may wish to bear in mind as they ring in the new year.

Data Privacy

In the world of data privacy, there has been a lot of buzz around California’s new consumer privacy law, the California Privacy Rights Act (CPRA), which was previously discussed on this blog here.

The CPRA will greatly expand the state’s current data protection infrastructure by, among other things, increasing consumer control over sensitive personal information, adding additional consumer privacy rights, and creating the California Privacy Protection Agency to enforce the CPRA.

While not effective until January 1, 2023, the CPRA will apply to certain data collected in 2022, requiring many businesses to begin updating their data practices now.[1]

Debt Collection

A number of the California consumer law updates that took effect on January 1, 2022 focused on debt collection practices. Perhaps most notable is the implementation of the Debt Collection Licensing Act (DCLA).[2] Aligning California with the majority of states that already have collection agency licensure requirements, the DCLA requires debt collectors and debt buyers operating in California to obtain a license from the Department of Financial Protection and Innovation.

The DCLA generally applies to entities collecting consumer debt in California, including organizations such as law firms and other companies engaged in collection activities who may not consider themselves “debt collectors” in the traditional sense. Critically, under the DCLA, debt collectors who missed the December 31, 2021 application deadline must halt operations in California until they are issued a license.[3]

Other changes to California debt collection laws effective January 1, 2022 include:

  • Health Care Debt and Fair Billing: Among other things, AB 1020 revises the state’s medical billing and debt collection policies, including by prohibiting hospitals from selling patient debt unless certain conditions are met.[4]
  • Identity Theft: AB 430 expands protections for victims of identity theft and requires debt collectors to pause collection activities until certain criteria are met if a consumer submits either a copy of a Federal Trade Commission (FTC) identify theft report or a police report.[5]
  • Fair Debt Settlement Practices Act: Adds new regulatory requirements and prohibitions on debt settlement service providers and payment processor activities. It also creates a consumer private right of action for intentional violations, with available remedies including actual damages, injunctive relief, attorneys’ fees, and/or statutory damages as high as $5,000 per violation.[6]

Consumer Legal Remedies Act

January 1, 2022 also saw revisions to the California Consumer Legal Remedies Act (CLRA).[7] As amended, the CLRA now offers additional protections to senior citizens from unfair and deceptive loan solicitations. Specifically, as amended the CLRA now applies to Property Assessed Clean Energy (PACE) program loans for seniors—such as loans for solar panels or energy efficient appliances­. Violations are subject to $5,000 in statutory damages, on top of any actual or punitive damages, injunctive relief, restitution, and/or attorneys’ fees.[8]

*          *          *

Taken together, California has added significant additional complexity and potential liability to the consumer protection landscape at the outset of 2022, and companies who work in these spaces should be careful to ensure that their existing practices are updated to comply with the new laws.


[1] Cal. Civ. Code § 1798.130.

[2] Cal. Fin. Code § 100000 et seq.

[3] Debt Collection – Licensee, Department of Financial Protection & Innovation.

[4] Cal. Civ. Code §§ 1788.14, 1788.52, 1788.58, 1788.185; Cal. HSC § 127400 et seq.

[5] Cal. Civ. Code §§ 1788.18, 1788.61, 1798.92, 1798.93; Cal. Penal Code § 530.8.

[6] Cal. Civ. Code § 1788.300 et seq.

[7] Cal. Civ. Code § 1770.

[8] Cal. Civ. Code § 1780.

Factors to Consider in Disclosing a Cybersecurity Breach to the SEC

Boch_Brian_COLOR Riely_Charles_COLOR

In this article published by Westlaw Today, Partners Brian R. Boch and Charles D. Riely and Associate William R. Erlain explain that the US Securities and Exchange Commission has ramped up its enforcement against misleading cybersecurity disclosures and announced plans to consider adopting new disclosure obligations. The authors highlight key factors to consider in determining whether and how a public company should disclose a cybersecurity breach in light of recent SEC guidance, enforcement actions and investigations, and private securities actions.

Click here to read the full article.

Supreme Court Answers the Call: Clarifies Meaning of “Automatic Telephone Dialing System” under the TCPA


By: Madeleine V. Findley and Emma J. O’Connor

Mobile in carOn April 1, 2021, the Supreme Court of the United States unanimously reversed the Ninth Circuit Court of Appeals decision[1] in Facebook Inc. v. Duguid et al., No. 19-511, and held that in order for a device to be an “automatic telephone dialing system” (ATDS), a key term in the Telephone Consumer Protection Act of 1991 (TCPA), 47 U.S.C. § 227, it must have the capacity to use a random or sequential number generator to either store or produce phone numbers to be called.[2] This decision represents a significant victory for entities defending against TCPA claims.

The TCPA prohibits making calls or sending text messages to mobile telephones using an ATDS (often simply referred to as an “autodialer”) without the prior express consent of the recipient. What precisely that means has become a heated dispute in TCPA litigation because using an ATDS to place a call is an essential component of many TCPA claims. The statute defines an ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called using a random or sequential number generator; and (B) to dial such numbers.”[3] Lower courts had split on the provision’s meaning. The Third, Seventh, and Eleventh Circuits interpreted the provision narrowly, holding that an ATDS must have the capacity to generate random or sequential phone numbers, not merely to store and dial the numbers automatically.[4] The Second, Sixth, and Ninth Circuits had taken a broad approach, holding that an ATDS need only have the capacity to store numbers to be called and to dial those numbers automatically.[5]

Continue reading "Supreme Court Answers the Call: Clarifies Meaning of “Automatic Telephone Dialing System” under the TCPA" »

COVID-19 / Coronavirus

We are closely tracking and providing information on developments facing companies and organizations arising from the COVID-19 pandemic. In the latest alerts, our lawyers offer guidance on financial and tax relief provisions in Illinois; share observations of how landlords and real estate lenders are Noun_virus_1772453responding to defaulting tenants and borrowers; consider the effects of the crisis on M&A transactions; explore how social distancing affects ongoing environmental investigations and mediation; analyze how state and federal legislation may combat insurance coverage denials for COVID-19; and examine the Department of Labor’s guidance regarding expanded family and medical leave under the Families First Coronavirus Response Act. These alerts and others are available in the library of our COVID-19 / Coronavirus Resource Center


COVID-19 / Coronavirus Resources

When we read the daily news, we see uncharted waters. Industries are being impacted overnight. We continue to do everything we can to support clients as they navigate these times. Our lawyers have provided practical insight into the legal and strategic challenges companies are facing. Jenner & Block has assembled a multi-disciplinary team, drawn from a variety of our practice areas and sector groups, to support clients as they navigate these uncharted waters. We also continue to update our COVID-19 / Coronavirus Resource Center.  It provides helpful and timely information on the legal and strategic challenges companies are facing.  Noun_virus_1772453Following is a list of some of those pieces.

Evaluating Force Majeure Clauses in Connection with the COVID-19 Outbreak

As governments and businesses take action to mitigate the impact of COVID-19, companies must consider whether and to what extent their existing contractual agreements oblige parties to perform while events related to COVID-19 are impacting the performance under those contracts. Many contracts contain force majeure clauses that may excuse performance in the face of COVID-19. These provisions are not uniform, and the scope of relief they afford may vary considerably based upon the language used, the jurisdictions involved, and the unique facts and circumstances of each case. We provide a brief overview here of how a force majeure clause may excuse performance with respect to COVID-19-related events. To read more, please click here.

SEC Reacts to COVID-19 Crisis and Issues Relief Relevant to Public Companies and Regulated Entities

On Friday, March 13, 2020, and over the subsequent weekend, the Securities and Exchange Commission (SEC) and its staff made announcements with guidance and/or relief for public companies and firms experiencing challenges because of COVID-19 / coronavirus. The SEC and its staff appear to have calibrated the guidance and relief to balance investors’ need for information with the practical realities of an unprecedented public health event. The SEC also emphasized that it is continuing to “assess impacts relating to the coronavirus on investors and market participants, and will consider additional relief from other regulatory requirements.” To read more, please click here.

Cybersecurity Concerns with Regard to Work-From-Home Policies

The COVID-19 outbreak is causing many companies to consider work-from-home programs for many of their employees. Any arrangement where employees are permitted to work from home poses a unique set of cybersecurity risks and challenges, but those risks are heightened when a majority of the work force are away from offices that are controlled. Ensuring that appropriate technical and administrative safeguards are in place prior to launching wide-scale work-from-home programs is critical to ensuring the safety of your network and data.  For considerations that businesses should take into account when implementing work from home programs, please click here.

To stay abreast of developments through this unprecedented situation, continue to monitor the Consumer Law Round-Up blog and visit the resource library for helpful reference materials.


New York SHIELD Act Expands Data Security and Breach Notification Requirements

By: Kara K. Trowell

ShieldOn July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.

Expanded Definitions.

Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements.  First, private information has been expanded to include:

  • (a) financial account numbers that can be used alone to access a financial account;
  • (b) biometric data used to authenticate an individual’s identity;
  • (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
  • (d) unsecured protected health information covered under HIPAA.

These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.

Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.

Continue reading "New York SHIELD Act Expands Data Security and Breach Notification Requirements" »

FinCen Issues Report on Business Email Scams


By: David P. Saunders

Data securityAt the risk of stating the obvious, everyone uses email. It has become a central component of both our daily lives and, of course our businesses.  As we transform into a fully digital,
corporate world, there are those who have sought to exploit the growing reliance on email.  Spammers, hackers, and of course, phishers.  No, not the people who go to those really long concerts; we are talking about email scammers who purport to tell you that your UPS package has arrived, but all you need to do is click a link and enter some information.  These scams can cripple a business, and trying to prevent these scams is difficult because in many ways, the solution relies on removing human error.

Enter the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.  FinCEN recently held a forum aimed at discussing ways to identify and curtail business email scammers.  The forum, held in New York City, analyzed the trends in business email scams.  At the forum, FinCEN released a report indicating that reporting of business email scams had more than doubled between 2016 and 2018.  The report also detailed that fake invoice scams grew as a methodology, and that manufacturing and construction businesses were top targets.

Continue reading "FinCen Issues Report on Business Email Scams" »

HUD Brings Housing Discrimination Charge Against Facebook

By Emily A. Bruemmer

HousingOn March 28, 2019, the US Department of Housing and Urban Development (HUD) filed a Charge of Discrimination against Facebook, alleging that Facebook violated the Fair Housing Act “by encouraging, enabling, and causing housing discrimination through the company’s advertising platform.”  This is an administrative action filed by the Secretary of HUD, on behalf of complainant Assistant Secretary for Fair Housing and Equal Opportunity, before the Office of Administrative Law Judges at HUD.  Unless any of the parties chooses to have the case heard in federal district court, an administrative law judge will hear the charge and may award damages, in addition to injunctive or other equitable relief, attorney fees, and fines.  HUD previously announced a formal complaint, initiated by the Secretary of HUD, against Facebook in August 2018.  The formal complaint was the first step in a process that then moved to a fact-finding investigation.  Last month’s charge indicates that the investigation resulted in a determination that there was reasonable cause to believe that Facebook violated the Fair Housing Act.

Continue reading "HUD Brings Housing Discrimination Charge Against Facebook" »

Facebook Announces Potential $5 Billion FTC Fine

By Emily A. Bruemmer

Facebook-privacyOn April 24, 2019, Facebook announced in its Q1 earnings release that it had set aside $3 billion and estimates that it may pay up to $5 billion in a fine related to the FTC’s ongoing inquiry into its “platform and user data practices.” Facebook entered into a settlement with the FTC related to its privacy practices in 2011, which has reportedly been re-opened. This would be the largest fine ever imposed by the FTC on a technology company. The possibility of a “multi-billion dollar fine” was first reported this February by The Washington Post.