What Sephora’s CCPA Fine Means for Multi-Location Retailers

News that Sephora will be fined $1.2 million in the first public enforcement of California’s Consumer Privacy Act (CCPA) spread rapidly last week. The beauty retailer allegedly sold people’s data to third-party companies without telling them and then failed to cure the violations after being notified by California Attorney General Rob Bonta. 

This marks the first time a major retailer has faced public enforcement action for a violation of the CCPA and makes clear that California’s attorney general is getting serious about data privacy.

According to Dan Clarke, president of Truyo, a privacy rights platform backed by Intel, the enforcement is intended to send the message that companies need to get compliant now and that there will be very little forgiveness for the definition of “sale” when it comes to data privacy and consumer information going forward.

“If a company is exchanging personal information for a benefit without disclosing it to customers and providing a way for them to opt out, they will be in violation,” Clarke says. “In the case of Sephora, though they weren’t technically selling personal information, they were reportedly making the data available in exchange for targeted advertising and discounted analytics.”

The CCPA became the country’s first — and only — active, comprehensive state data privacy law when it took effect in 2020. By 2021, a number of other states joined California in passing their own data privacy regulations. Virginia, Colorado, Utah, and Connecticut have each passed privacy laws set to take effect in 2023. However, no data privacy law currently exists in the U.S. on a federal level, and debate over whether one should be enacted is ongoing in congress.

The penalties being levied against Sephora, as part of a settlement agreement, require the cosmetics retailer to clarify its online disclosures and privacy policies to influence an affirmative representation that it sells data. The company must also provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control, conform its service provider agreements to the CCPA’s requirements, and provide ongoing reports to the California Attorney General relating to its sale of personal information.

Sephora isn’t the only multi-location retailer currently caught in the crosshairs. The Attorney General Bonta has reportedly also sent notices to a number of additional businesses alleging non-compliance for failing to process consumer opt-out requests made via user-enabled global privacy controls. 

Global privacy controls allow consumers to opt-out of all online sales by broadcasting a “do not sell” signal across every website they visit. Under the CCPA, companies are required to treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who clicked “Do Not Sell My Personal Information” links. 

While it’s unclear which businesses received notices from the Attorney General, those businesses have less than a month to cure any alleged violations, after which they may face enforcement action, similar to Sephora.

“Until January 1, 2023, companies that receive a notice will have 30 days to comply or they’ll face an enforcement action,” Clarke says. “After that date, CPRA goes into effect and the 30-day cure period will go away. Companies that aren’t compliant by January 1, 2023 could face an enforcement act without a warning.”

In the meantime, Clarke says it’s especially important that all retail brands step up their efforts to get compliant. A simple check of a brand’s website can indicate whether the company is in compliance. Privacy disclosures and mechanisms for opting-out are just a few of the easy checks that Clarke recommends businesses take to see if they are compliant.

“The age of enforcement is here. The age of just sending warnings is over. You need an updated notice and updated contracts with your vendors. You need to revisit if you fit the very broad definition of sale under CCPA, and if so, post a compliant do-not-sell link and respect the Global Privacy Control signal,” Clarke says. “It’s so easy for companies to check. Clearly, this is just the beginning.”