One of the world’s largest cosmetics retailers, Sephora, will have to pay $1.2 million in fines for violating California Consumer Privacy Act (CCPA) by selling customers’ personal information and failing to comply with opt-out requests.
According to California Attorney General Rob Bonta, in exchange for benefits like targeted advertising and discounted analytics, Sephora made its users’ personal information available to online third-party trackers without telling them it was doing so. The global privacy control browser extension automatically communicates users’ privacy preferences to all websites they visit without requiring them to click on each website’s opt-out link manually. It could also not execute opt-out requests sent to Sephora.
On August 24, 2022, Bonta announced that it had negotiated a $1.2 million settlement with Sephora, Inc. on claims that the company had broken the Business and Professions Code’s (BPC) Sections 17200 et seq. and the California Consumer Privacy Act (CCPA).
Bonta pointed out that the charges surfaced after an enforcement sweep of online merchants as part of its continuing CCPA enforcement.
After an investigation, Bonta concluded that Sephora failed to warn customers about selling their personal information and did not offer them an obvious “Do Not Sell My Personal Information” link on its website or mobile application. Additionally, Bonta found that Sephora did not correct the infractions within the 30-day window currently permitted by the CCPA since Sephora did not execute user requests to opt-out of sale via the user-enabled global privacy controls.
In addition to the previous, Bonta emphasized that it had reached a settlement in which Sephora was required to pay $1.2 million in fines and adhere to Sections 1798.20 and 1798.135 of the California Consumer Privacy Act and Regulations 7011, 7012, 7026, and 7051 of the California Consumer Privacy Act. Additionally, Bonta required that Sephora must abide by the following conditions:
- providing mechanisms for users to opt-out of the sale of personal information, including via global privacy control;
- clarifying its online disclosures and privacy policy to include an affirmative representation that it sells data;
- conforming its service provider agreements to the CCPA’s requirements; and
- providing annual reports to the attorney general regarding its sale of personal information, its service provider relationships status, and its efforts to improve data security.
In addition, the settlement mandates that Sephora implement and maintain a program to evaluate and track whether it is successfully handling opt-out requests for sales, as well as conduct an annual review of its websites and mobile apps to identify the entities with which it shares personal information, within 180 days of the settlement’s effective date and for the following two years.