On Aug. 24, 2022, California Attorney General Rob Bonta (AG) announced the first public fine for failure to comply with the California Consumer Privacy Act (CCPA). Beauty products retailer Sephora Inc. agreed in a settlement to pay $1.2 million into California’s Consumer Privacy Fund, to make substantial changes to Sephora’s privacy programs and policies, and to submit annual reports regarding these changes to the AG for the next two years.
Like many retailers, Sephora installed (or allowed third parties to install) software on its website that monitored the actions of its online shoppers. Although these third parties did not pay Sephora for its shoppers’ data, in return Sephora received analytics regarding these shoppers and the option to purchase advertisements targeting them. The AG alleged that this use of Adtech constituted a sale of personal information under the CCPA, which the AG stated “broadly defines sales as the exchange of personal information for anything of value.”[1]
The AG’s complaint against Sephora alleged three CCPA violations: (1) Sephora’s online privacy policy falsely stated “we do not sell personal information” despite the value it received for using Adtech software; (2) Sephora failed to include the required “Do Not Sell My Personal Information” link on its homepage; and (3) Sephora failed to respond to consumer requests to opt out of such sales via Global Privacy Controls (GPC), which are browser signals that users can set once to inform all websites that they do not want their information sold. The AG also alleged that these actions separately violated California’s Unfair Competition Law.
On June 25, 2021, as part of an enforcement sweep, the AG notified Sephora and other online retailers of similar violations and gave them all 30 days to cure. Sephora failed to do so within the 30-day window. For its part, Sephora expressed surprise that the use of third-party analytics constituted a sale of personal information under the CCPA, but agreed to correct these issues.
The AG Is Committed to Enforcing the CCPA
The AG’s announcement of this settlement also included “a strong message to businesses that are still failing to comply with California’s consumer privacy law,” stating “we will hold you accountable” and there “are no more excuses.”[2] In a related press conference, the AG stated, “The kid gloves are coming off. My office will not hesitate to protect consumers.”[3] The AG also noted that the CCPA has been in effect for two years and indicated that he would no longer give businesses an opportunity to cure after the safe-harbor period expires on Jan. 1, 2023. The AG continues to conduct enforcement sweeps and has sent notification and cure letters to hundreds of businesses across many sectors.
Cookies and Tracking Software Could Lead to a “Sale” under CCPA
Businesses that use Adtech or tracking software, such as Google Analytics, should consider how that information is used and what they receive in return. If businesses receive anything of value in exchange for sharing information with Adtech or analytics companies, such sharing will be deemed a sale under the AG’s interpretation. Businesses engaged in such relationships should update their websites and privacy policies to include the “Do Not Sell My Personal Information” button and notify consumers of how their browsing data is sold, and to whom. Businesses should also consider entering into service provider contracts with these third parties, where possible. Under the CCPA, sharing personal information with a service provider for a business purpose is not considered a “sale” if the business discloses that sharing to consumers and ensures that the service provider does not further collect, sell or use the information beyond what is necessary to perform the business purpose.
Businesses Must Honor GPC Signals
Although the CCPA does not specifically require businesses to honor GPC signals, the AG adopted regulations that treat these signals as a valid “Do Not Sell” request. Businesses should also establish internal procedures for complying with such requests and informing any service providers, such as Adtech companies, to refrain from selling that consumer’s personal information.
***
We will continue to monitor the latest developments in this ongoing legislative movement. For more information on California’s privacy laws and how to comply, see our prior client alerts here and here. Please reach out to the Kramer Levin privacy team for additional assistance on how to comply with emerging privacy laws.
[1] See https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf
[2] See https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement