California AG Throws A Stake in the Ground on “Sales” With $1.2 Million Fine

On August 24, 2022, California Attorney General (“CA AG”) Rob Bonta announced a settlement with Sephora USA, Inc. that includes a $1.2 million fine—the first monetary penalty imposed under the CCPA. The settlement also includes prospective reporting obligations and injunctive terms. Following its review of online retailers, the California AG alleged that Sephora had failed to: (1) inform consumers that it was selling their personal information (“PI”); (2) post a “Do Not Sell My Personal Information” link on its website; and (3) process requests to opt-out of sale via user-enabled global privacy controls (“GPCs”). The CA AG notified Sephora of these alleged violations, triggering the CCPA’s 30-day notice and cure period. Sephora, allegedly failed to cure. If the settlement is approved, Sephora will need to implement measures to comply with the Judgment, conduct regular compliance assessments for two years, and pay the $1.2 million fine.

Allegations

Selling Personal Information (CCPA § 1798.130(a)(5))

The CA AG alleged in the Complaint that Sephora’s privacy policy failed to disclose that it was selling California consumers’ PI. Instead, Sephora expressly told consumers that it did not “sell personal information.”

Through its website and mobile applications, Sephora collected, among other PI, consumers’ geolocation data, information from cookies, and other user identifiers. Sephora also made consumers’ PI available to third parties, including advertising networks, data analytics providers, and business partners. In particular, Sephora allowed for the installation of third-party trackers on its website and mobile applications (e.g., cookies, pixels, software development kits, etc.) that automatically collected and sent consumer data to third parties. The CA AG contended that the decision to provide third parties with access to customer PI in exchange for services from those entities, including free or discounted analytics and advertising benefits, constituted a CCPA “sale.” As a result, Sephora allegedly failed to satisfy its obligations to disclose to consumers that it was selling their PI and allow consumers to opt-out of the sale of their information. 

Opt-Out Links (CCPA § 1798.135(a)(1))

Second, the CA AG alleged that Sephora violated the CCPA by failing to post a clear and conspicuous “Do Not Sell My Personal Information” link on its website or mobile applications or provide an alternative means of opting out of the sale of consumer PI.

Global Privacy Controls (CCPA §§ 1798.120(a); 1798.135(a)(4))

Lastly, the CA AG claimed that Sephora was required, and failed, to refrain from selling PI of consumers who opted out of the sale of their PI through user-enabled GPCs. A GPC allows consumers to opt-out of all online sales without having to click on an opt-out link by broadcasting a “do not sell” signal across every website they visit. CA AG Bonta asserted that under the CCPA, businesses must treat opt-out requests made by user-enabled GPCs the same as requests made by users who click the “Do Not Sell My Personal Information” link. To emphasize this point, CA AG Bonta stated: “There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Settlement

In addition to the payment of $1.2 million into the California Consumer Privacy Fund, the settlement requires Sephora to comply with the CCPA by providing consumers with notice that it sells their PI and offering consumers the right to opt-out of all sales. Sephora must also process consumer requests to opt-out via signals from GPCs.

Moreover, Sephora must conduct an annual regular review (for a period of two years) of its website and mobile applications to determine with whom it “sells” or “shares” PI. The results of this review must be released in an annual report to the CA AG identifying: (1) the names of entities that receive PI; (2) the PI available to such entities; (3) Sephora’s purpose(s) for making the PI available; and (4) whether Sephora considers the entities to be service providers. Any service providers must have a contract with Sephora that meets the requirements outlined in the CCPA.

During this period, Sephora must also implement and maintain a program to assess and monitor whether it effectively processes opt-out requests, including requests submitted via user-enabled GPCs. Like before, this assessment is to be shared with the CA AG in an annual report.

Other CCPA Enforcement

Beyond announcing its settlement with Sephora, the CA AG also updated its public list of CCPA enforcement case examples. Recent additions include: (1) An enforcement sweep of businesses operating loyalty programs that offered financial incentives (such as discounts, free items, or other rewards) in exchange for PI without providing consumers with a notice of financial incentive; (2) An online advertising business whose privacy disclosures were not understandable to the average consumer and did not include the required information; and (3) A data broker whose “Do Not Sell My Personal Information” link worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests.

Key Takeaways

• Beware of Sales (and “shares”). Privacy policy assertions that a Company does not “sell” PI will be closely scrutinized. Businesses should understand what constitutes a sale, particularly in the active ad tech ecosystem, and comply with the CCPA’s notice and choice regime. The California Privacy Protection Agency’s (“CPPA”) draft CPRA regulations strongly suggest that scrutiny of sales of PI will continue unabated, and the aperture will be widened to include “sharing” under the CPRA.
• CA AG Means business with Global Opt-Outs. While the CCPA does not explicitly mention global opt-outs, the Sephora settlement asserts that honoring signals sent by browsers using GPCs is currently required under California law. The CCPA’s proposed regulations align with this position, interpreting the provisions of the CCPA regarding opt-out preference signals as mandatory. The Sephora settlement press release also indicated that CA AG Bonta sent notices to several other businesses on August 24 regarding alleged failures to process consumer opt-out requests made via user-enabled GPCs. If not already deployed, businesses should move quickly to honor signals from user-enabled GPCs, particularly since this is an area of heightened regulatory enforcement.
• CCPA Notice and Cure Provision to Expire on January 1, 2023. Sephora could have avoided this settlement and the attending fine and future obligations if it had cured the alleged violations within 30 days. The CA AG noted, however, in the press release announcing the Sephora settlement that the CCPA’s notice and cure provision will expire on January 1, 2023. With the impending expiration of the notice and cure provision, businesses should work toward consistent compliance with the CCPA as it is unclear if the CA AG and CPPA will provide any informal notice and cure periods in post-2022 enforcement actions.
• Employ Valid Service-Provider Contracts to Limit “Sales.” The CA AG views the deployment of user tracking technologies, such as third-party cookies and software development kits, to collect user PI as a “sale,” subject to the CCPA’s opt-out requirements. Businesses should therefore embrace valid service-provider contracts as a means of reducing compliance obligations. Understanding a businesses’ data flows and third-party collection of PI are necessary initial steps, however, in drafting effective service-provider agreements.