On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora resolving alleged violations of the California Consumer Privacy Act (CCPA). Although the CCPA has been in effect since January 2020, this marks the first time that an enforcement action under the statute has led to fines for a business.
According to a press release issued by Attorney General Bonta, his office conducted "an enforcement sweep" of large retailers in June 2021 to determine compliance with the CCPA. Sephora's main alleged violation, as determined by Attorney General Bonta's office, was its failure to comply with requests to not sell consumers' personal information to third parties. Sephora also was alleged to have failed to notify consumers that Sephora sells their data to third parties, failed to provide a "Do Not Sell My Personal Information" option on the Sephora website, and ignored signals from the Global Privacy Control ("GPC") tool requesting that users' information not be sold.
The last of these violations reveals an important determination by the Attorney General's office: entities subject to the CCPA must comply with GPC signals. The GPC is a third-party browser plug-in designed to automatically and universally opt a user out of data processing and/or sale across different websites. The complaint in this case, as well as the FAQs about the CCPA on Attorney General Bonta's website, make it clear that his office is backing the GPC as a tool for consumers—and complying with GPC signals is required under the CCPA.
Sephora was notified of its alleged CCPA violations on June 25, 2021 and given a thirty-day period to remedy them, but failed to do so in the eyes of the Attorney General's office. This thirty-day "notice and cure" period is currently required by the CCPA in order to give businesses a chance to fix issues before being subject to a fine or other enforcement actions. But, notably, as Attorney General Bonta's press release explains, beginning January 1, 2023, the notice-and-cure mechanism sunsets, meaning that the Attorney General's office can begin enforcement as soon as a violation is detected—without a thirty-day waiting period. This means that businesses should be even more vigilant to ensure they are compliant with the CCPA in order to avoid suffering hefty fines, with no opportunity to fix violations prior to enforcement.
The complaint against Sephora can be found here. The settlement agreement can be found here.
Attorney General Bonta claimed in a statement that the "settlement [with Sephora] sends a strong message to businesses that are still failing to comply with California's consumer privacy law. My office is watching, and we will hold you accountable."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.