Sephora fined $1.2M in first public CCPA enforcement

Sephora violated the California Consumer Privacy Act (CCPA) and sold consumers’ personal data after they had requested their information not be sold, California Attorney General Rob Bonta said in a press release Wednesday.

The CCPA, which took effect in 2020, is the country’s first and only active comprehensive state data privacy law. Since the start of 2021, Virginia, Colorado, Utah, and Connecticut have passed privacy laws of their own, each set to take effect in 2023. Congress is considering whether a federal data privacy law is needed and how strong the protections should be.

The CCPA requires businesses to disclose to California-based residents the sale of their data and allow them to opt out. If gaps in compliance with the law, which is enforced by the California attorney general, are identified, the company has 30 days to resolve the alleged violations.

Sephora failed to address its alleged deficiencies within the 30-day period, Bonta said.

California has been warning companies since 2020 to abide by the act. Since the law was enacted, Bonta said his office has delivered notices to a variety of major businesses—including those in technology, healthcare, retail, fitness, telecommunications, and others—that their opt-out systems were deficient.

His office recently conducted an “enforcement sweep” of online retailers and discovered Sephora was selling the personal data of consumers who had visited the company’s website after they had asked their data be kept private. Bonta’s office filed a complaint against Sephora on Tuesday and reached a settlement with the retailer in the San Francisco County Superior Court on Wednesday.

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable,” Bonta said in the press release.

The CCPA imposes fines of $7,500 per intentional violation.

“Sephora’s practices are already in compliance with the CCPA,” said a Sephora spokeswoman in an emailed statement. In reaching settlement, the company did not agree to an admission of liability or fault.

Under the settlement, Sephora must make clear to visitors of its website it intends to sell their personal data, offer consumers a way to opt out, and honor any requests it receives.

Within 180 days of the settlement, Sephora also must create a monitoring program that will assess the effectiveness of its system for processing opt-out requests by consumers. Sephora must honor privacy requests made directly through its website or by the Global Privacy Control, a tool that allows people to opt out of any sale of personal data by any online retailer.

Sephora must monitor its system for two years and test it to ensure it is effective. The retailer must file annual reports to the attorney general about its monitoring program, including tests of its system and any errors or gaps detected; a list of entities it provides consumer data to; and what personal information it shared.

“There are no more excuses,” Bonta said. “Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

On Jan. 1, 2023, the California Privacy Rights Act (CPRA) will take effect and supersede the CCPA. The CPRA requires companies to take further measures to safeguard consumer data and creates the California Privacy Protection Agency (CPPA) to enforce the new law.

“The kid gloves are coming off; we will hold you accountable,” said Bonta in a press conference.