Sephora has agreed to pay $1.2 million to end charges by California Attorney General Rob Bonta that the beauty retailer violated the state’s Consumer Privacy Protection Act (California Consumer Privacy Act).
The CCPA, which went into effect in 2020, is the first and only active comprehensive state data privacy law in the country.
Although the law has been in effect since then, this is the first amount paid to the U.S. government under this relatively new legislation (full list and chart here). It is a real blow to companies that sell information about people without their consent.
U.S. Attorney Rob Bonta conducted a year-long investigation of Sephora and other companies to determine whether any of them were not complying with California’s consumer privacy law.
Sephora allegedly failed to inform consumers that the company was selling personal data collected on its website and failed to process requests to remove sales through user-defined privacy controls, Bonta’s office said.
« Sephora’s fine should serve as a reminder to organizations to review privacy policies with employees and conduct compliance audits » said Sam Humphries, head of EMEA security strategy for cybersecurity firm Exabeam.
According to the complaint, the investigation into Sephora follows an « enforcement sweep » in June 2021 to determine whether online retailers were complying with consumer opt-out signals through Global Privacy Control, a tool that allows users to tell websites their privacy preferences.
This enforcement action indicates that sharing personal information with third parties for targeted advertising or analytics purposes constitutes a « sale » under the CCPA, and companies are obligated to offer consumers an opportunity to opt out.
It also shows that the Attorney General’s Office is firm in enforcing corporate compliance;
Should we think that the US is heading towards further fines and a reinforced severity towards data offenders as the statements of the US Attorney’s office seem to indicate? The coming months will confirm this.
For now, California passed its second data privacy law in 2020, even before most other states have such a law. The CPRA, approved by ballot, amends the CCPA. It will take effect on January 1, 2023, and gives new rights to California consumers, imposes new obligations on businesses, and creates a new government agency – the California Privacy Protection Agency (CPPA).
By Mélissa Walehiane