Image: Sephora

Sephora has agreed to pay $1.2 million to settle allegations that it violated the California Consumer Privacy Act (“CCPA”), a state law that limits companies’ collection and sale of consumers’ personal information and provides consumers with expansive rights with respect to their personal information. The LVMH-owned beauty retailer came under fire after an enforcement sweep of online retailers by the California Attorney General’s office revealed that it “failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and did not cure these violations within the 30-day period currently allowed by the CCPA.” The settlement, which is dependent upon court approval, is the first CCPA enforcement action since the law went into effect on January 1, 2020. 

“The settlement with Sephora underscores the critical rights that consumers have under California Consumer Privacy Act to fight commercial surveillance,” California Attorney General Rob Bonta said in a statement on Wednesday. “Consumers are constantly tracked when they go online, [with] many online retailers allowing third-party companies to install tracking software on their website and in their app so that third parties can monitor consumers as they shop. These third parties track all types of data – in Sephora’s case, the third parties could create profiles about consumers by tracking whether a consumer is using a MacBook or a Dell, the brand of eyeliner or the prenatal vitamins that a consumer puts in their ‘shopping cart,’ and even a consumer’s precise location.” 

“Retailers like Sephora benefit in kind from these arrangements, which allow them to more effectively target potential customers,” Bonta says. 

In addition to paying $1.2 million in penalties, as part of the settlement, Sephora will also be required to clarify its online disclosures and privacy policy to include an affirmative representation that it sells data; provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control (“GPC”); conform its service provider agreements to the CCPA’s requirements; and provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor GPC. 

In response to the settlement, which it says “does not constitute an admission of liability or fault by Sephora,” the New York-headquartered beauty chain pushed back against the Attorney General’s classification of its data practices as the “sale” of data. The CCPA “does not define ‘sale’ in the traditional sense of the term,” a representative for Sephora said in a statement on Wednesday. “‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.” 

The Sephora settlement comes as part of a larger effort by Bonta’s office to enforce the California Consumer Privacy Act, with Bonta revealing on Wednesday that he sent notices to “a number of businesses” alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls. 

Characterized as one of the strongest consumer privacy laws in the country, the law applies to for-profit “businesses” that do business in California, collect California resident personal information (or on behalf of which such information is collected), alone or jointly with others determines the purposes or means of processing of that data; and that either … have at least $25 million in annual revenue, have personal data on at least 50,000 people, or derive at least 50 percent of annual revenue from selling consumers’ personal information must comply with the law. (Companies need not be headquartered – or even have a physical presence – for the law to apply.) 

The CCPA provides a non-exhaustive list of categories of personal information, including name, postal address, address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; characteristics of protected classifications under California or federal law; commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; biometric information; internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement; geolocation data; professional or employment-related information; and education information that is not publicly available. 

Not only are CCPA actions being initiated by the state’s Attorney General, the CCPA provides a private right of action, which has prompted more than 170 CCPA claims to filed as of earlier this year, a handful of which have targeted retailers. According to Steptoe & Johnson’s Stephanie Sheridan, Meegan Brooks and Surya Kundu, “Courts are continuing to determine what conduct falls within the CCPA’s narrow private right of action, which applies only when a statutorily-defined subset of a California resident’s ‘non-encrypted and non-redacted’ personal information ‘is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable and appropriate security procedures and practices.”

All the while, a new, more aggressive iteration of CCPA, the California Privacy Rights Act, will take effect in 2023, which Sheridan, Brooks and Kundu came “could usher in a new wave of private and public enforcement suits.”