On August 24, 2022, the California Attorney General announced the first public settlement under the California Consumer Privacy Act of 2018 (CCPA), resolving an action against Sephora, Inc., a beauty product retailer, for ignoring requests from California customers not to sell their personal information, and for deceptively advertising to California residents that the company does not sell consumer personal information to third parties when it in fact did so. The settlement order requires Sephora to come into compliance with the CCPA and to pay a $1.2 million fine. The CCPA applies to companies across a wide range of industries, including telecom service providers, who meet one or more of the minimum statutory thresholds for services offered to California residents.
The Attorney General’s investigation into Sephora’s CCPA violations and unfair competition practices sends several strong signals. First (and foremost), it communicates that the California Department of Justice takes CCPA protections seriously. In so doing, the complaint against Sephora reaffirms the Attorney General Office’s longstanding position that the right to opt out of the sale of one’s personal information is the “hallmark of the CCPA.” It also shows that the Attorney General’s Office does not patiently wait for disgruntled consumers to report violations of their privacy rights, but instead actively audits covered entities and pursues enforcement actions against non-compliant businesses on its own. Finally, the settlement order suggests that if the Attorney General’s Office notifies a covered business that it violated the CCPA, swift remedial action could prevent further investigation and/or enforcement action. These key takeaways are explained more fully below.
Background
The CCPA, as amended by the California Privacy Rights Act (CPRA), empowers California residents with unprecedented control over how businesses use or share their personal data. Notable CCPA protections include:
- The right to know about the personal information a business collects about California consumers and how it is used and shared;
- The right to delete collected personal information, subject to some exceptions;
- The right to opt out from the sale of personal information;[1] and
- Safeguards against discrimination and retaliation for exercising CCPA rights
The CCPA applies broadly to for-profit businesses that collect, use, share, and/or sell personal information of California residents, and exceed at least one of the following statutory thresholds:[2]
- Have annual gross revenues exceeding $25 million;
- Alone or in combination, annually buy, receive for the business’ commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derive 50 percent or more of their annual revenues from selling consumers’ personal information.
The CCPA also imposes obligations on service providers who process personal information of California residents on behalf of covered business partners through contractual obligations with these partners.
Sephora’s CCPA Violations and Remedial Obligations
The Attorney General’s Office found that despite advising California residents that the company does not sell their personal information, Sephora sold their personal information to third parties in violation of the CCPA. The company also failed to post to its website a “do not sell” my personal information link, as expressly required by the CCPA. And when consumers submitted requests not to sell their personal information by other means, e.g., through user-enabled global privacy controls (GPC), Sephora ignored these requests.
Under its settlement with the Attorney General’s Office, Sephora is subject to various remedial obligations, including:
- Paying a $1.2 million civil penalty;
- Amending its online disclosures and privacy policy to include an affirmative representation that it sells personal information;
- Establishing mechanisms for California residents to opt out of the sale of personal information, including via GPC;
- Revising its service provider agreements to comply with CCPA requirements; and
- Providing reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor user-enabled GPC preferences.
Implications of the Sephora Settlement on Other businesses
The Sephora investigation offers several practical lessons for businesses subject to the CCPA and their service providers. First, it sends an unmistakable message that the California Department of Justice will not tolerate violations of the state’s residents’ privacy rights. If the above-discussed settlement terms to which Sephora agreed do not adequately drive this point home, the settlement order announcement advises further that on the same day the Attorney General’s Office publicized the Sephora settlement, the Office also “issued notices to a wide array of businesses alleging noncompliance with the CCPA.” These notices to cure have been issued to major companies in the tech, healthcare, retail, fitness, data brokerage, and telecom industries, among others.
Second, if you think that no one will go after your company for ignoring the CCPA unless and until unhappy consumers take matters into their own hands, think again. The Sephora complaint and the above-referenced notices to cure that were just sent out all result from a sweeping CCPA audit conducted by the Attorney General Office’s on its own initiative. And while this audit targeted major players, smaller providers are far from immune from CCPA liability.
Finally, if you receive a CCPA noncompliance notice from the Attorney General, responding promptly and cooperating fully could limit your company’s liability. The Sephora complaint specifically explains that the Attorney General’s investigation followed Sephora’s “fail[ure] to cure any of the alleged violations,” and “le[d] to this enforcement action,” implying that the Department of Justice might have been more lenient had the company shown at least some signs of cooperation.
If you receive a notice alleging that your company has violated the CCPA, or have questions about your company’s data privacy obligations, please contact Linda G. McReynolds at (703) 714-1318 or lgm@commlawgroup.com.
[1] The Attorney General’s Office interprets “sales” broadly to encompass all arrangements, including advertisements targeting specific individuals, under which businesses share consumer personal information with third parties and obtain an economic benefit from doing so.
[2] Please note that the CPRA, which will become operative on January 1, 2023, revises these thresholds.