On August 24, the California Attorney General (CA AG) Rob Bonta announced that his office reached a settlement with Sephora Inc. (Sephora) to resolve claims that Sephora’s use of third-party tracking technologies violated the California Consumer Privacy Act (CCPA). The action is the first formal complaint brought by the AG under the CCPA since it became effective on January 1, 2020. If approved, the settlement will require Sephora to take immediate action to comply with the law, conduct regular compliance assessments for two years, and pay a $1.2 million fine.
California AG’s CCPA Complaint: Allegations
According to the complaint, the CA AG discovered the violation through an "enforcement sweep" of large retailers that started with an analysis of whether their websites honored Global Privacy Control signals (GPC). This enforcement sweep led to a further analysis of Sephora’s privacy notice and opt-out procedures. The complaint alleges that Sephora was notified of these violations and failed to cure them within 30 days.
Alleged violations
The complaint alleges that Sephora installed certain analytics, advertising cookies, and other tracking technologies on its website and mobile apps that enabled those technology providers to track the activity of Sephora users, including on products viewed or items added to carts.
Sephora took the position in its website privacy policy that the company did not "sell" personal information, but the complaint alleged, and the AG's office argues, that allowing third parties to collect personal information via cookies was, in fact, a sale of that personal information. According to the AG, this sale triggered obligations for Sephora to offer consumers the choice to opt-out of such disclosures.
The complaint alleged that Sephora violated the CCPA, first, by failing to post a "Do Not Sell My Personal Information" link on its website and mobile apps that could be used by consumers electing to opt out and, second, by failing to detect and process opt-out signals on its website sent by browsers where the user had enabled Global Privacy Control (GPC).
Further, Sephora could not convincingly allege that these advertising and analytics partners were “service providers” because Sephora did not have valid contracts in place with these partners to justify the service provider designation.
In addition to claiming violations of the CCPA and implementing its regulations, the complaint includes a count for violation of California's Unfair Competition Law, alleging that Sephora's privacy policy included false or misleading statements and that consumers were deprived of their ability to opt-out of the sale of personal information.
California AG: Settlement
The settlement requires Sephora to:
- Remediate its website to honor GPC signals and effectuate consumer opt-outs and DNS.
- Conduct annual assessments of whether it is effectively processing consumer requests to opt out of the sale of their personal information for a period of two years and to submit such assessments to the CA AG's office.
- Document the entities with whom it shares personal information and, if it takes the position that such are service providers, confirm in a report to be provided to the CA AG that appropriate contractual provisions are in place.
Additional regulatory action:
The CA AG's office also updated its public list of examples of instances in which notices of noncompliance with the CCPA have been issued:
- Of the 13 examples provided, 10 involved some sort of failure to properly offer consumers the right to opt-out of the sale of their personal information.
- Several examples also cited deficiencies in privacy notices, such as incorrect or misleading statements about the business's practices related to the sale of personal information and/or the process to submit right to know or delete requests, such as the failure to offer two designated methods or describe the request verification process. Two examples cited failure to provide training to employees who handled consumer privacy requests.
Action-Items/Takeaways:
Businesses should closely analyze the California AG's position that deployment of third-party cookies on a website will be viewed as a “sale” of personal information to the third party, which would be subject to CCPA opt-out and other requirements.
- Businesses should be able to avoid offering an opt-out by treating the party as a service provider. However, a legally compliant contract restricting the use of personal information must be in place for this to work.
- The Sephora complaint suggests the CA AG is (at a minimum) skeptical of the standard contract terms that come with "widely available advertising and analytics" tools. Businesses, particularly online retailers, should therefore have a detailed understanding of the data flows that occur on their online properties and the ways in which third parties are using data collected.
- Businesses should audit their practices to confirm they honor signals sent by browsers using GPC, as the CA AG has taken the position that this is a requirement of current state law.
- Complaints regarding consumers' rights processes, either right to know/delete or opt-out, are easy for a regulator to identify, whether through an enforcement sweep or due to its receipt of consumer complaints. Once a potential issue is on the regulator's radar, it can lead to a thorough investigation of a business's privacy program by the CA AG, which may result in the identification of more significant compliance issues.
Octillo regularly monitors the data privacy landscape and will continue to provide updates on enforcement trends related to the CCPA, GDPR, and other global and domestic privacy regulations. Our team routinely works with clients to update their external policies and data collection practices to work towards compliance with the growing list of privacy regulations.
*Attorney Advertising. Prior results do not guarantee similar outcomes.
