California AG looks ahead to other data privacy violations after $1.2 million Sephora fine
Jonathan Greig August 26, 2022

California AG looks ahead to other data privacy violations after $1.2 million Sephora fine

California AG looks ahead to other data privacy violations after $1.2 million Sephora fine

California’s Attorney General Rob Bonta is already looking ahead to the next potential violations of the California Consumer Privacy Act (CCPA) after issuing the state’s first fine of $1.2 million to Paris-based makeup giant Sephora this week. 

While announcing the fine — which was part of a settlement with Sephora to resolve allegations the company violated the CCPA — Bonta said he also sent notices to “a number of businesses” due to alleged non-compliance when it comes to processing consumer opt-out requests. 

Bonta’s office did not respond to requests about which companies were issued the notices but said in a statement that businesses now have 30 days to rectify the violations or face a fate similar to Sephora. 

The violations center around the processing of consumer requests made through global privacy controls that allow people to opt out of all online sales in one click. Many businesses attempt to get around this by making users click on opt-out links each time they visit a website.

To help ease businesses into the intricacies of California’s landmark privacy law, companies are given the chance to “cure” these violations and process the opt-out requests before the Attorney General is allowed to step in.

That provision expires on January 1, 2023, and businesses will no longer get that 30-day window to cure violations after that date.

Several businesses have been issued notices since the CCPA took effect in July 2020. Bonta said major corporations in the tech, healthcare, retail, fitness, data brokerage, and telecom industries and more have been issued notices to cure. 

Consumer Reports head of tech policy Justin Brookman said that because of the 30-day “right to cure,” many of the businesses sent warning letters were not punished. 

“This sort of enforcement action gets a lot more attention than a press release announcing they’re sending out warning letters, and will likely be more effective at changing behaviors more broadly,” Brookman said. 

“Starting in 2023, California regulators can just directly bring an action without telling a company to stop first, so companies are risking legal liability if they engage in the sort of behaviors Sephora was.”

Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation, said it was heartening to hear that Bonta was already taking steps to hold other companies accountable for CCPA violations.  

“Most of the enforcement for the CCPA rests in the Attorney General’s hands, and it’s encouraging to see them pursue those violating the law,” Tsukayama said. “Companies should respect consumer choice, because ultimately that’s a function of trust between businesses and their customers.”

A ‘strong message’

Few companies were apparently as egregious as Sephora, according to Bonta. In a complaint, the California Attorney General’s office said that during a sweep of online retailers, Sephora had a number of violations — including a failure to tell customers their information was being sold, a failure to process user opt out requests and a further refusal to cure the violations within the 30-day timeline. 

Sephora allowed advertising technology companies to install tracking software on their website and in their app so third parties can monitor consumers as they shop.

Sephora — one of the largest makeup companies in the world — tracked everything from whether a person was using a MacBook or a Dell to the brand of eyeliner or the prenatal vitamins that they put in their virtual shopping cart. 

The software could even provide a user’s exact location. 

California said it considers Sephora’s arrangement with these advertising tech companies a sale of consumer information under the CCPA which comes with several obligations, “such as telling consumers that they are selling their information and allowing consumers to opt-out of the sale of their information. Sephora did neither.”

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable,” Bonta said. 

What is a “sale”?

Privacy experts — and Sephora — expressed surprise that California prosecutors were interpreting the makeup company’s relationship with the advertising tech companies as violations of the CCPA. 

Under the terms of the settlement Sephora did not have to admit fault or liability, and in comments to The Record, the company continued to tacitly dispute the regulator’s interpretation of the CCPA. 

A spokesperson for Sephora said the company uses data “strictly for Sephora experiences” and argued that the CCPA does not define “sale” in the “traditional sense of the term.”

“‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads,” the company said.  

“We have always cooperated fully with the OAG and Sephora’s practices are already in compliance with the CCPA. We respect the perspective and guidance provided by the OAG and understand the importance of the continually evolving requirements around consumer privacy.”

The spokesperson added that there is now an opt-out link on the footer of the Sephora.com website specifically for users in California. 

Privacy expert Dan Clarke, who has worked with lawmakers in several states on potential privacy bills akin to CCPA,  said the announcement shows there “will be little forgiveness for the definition of ‘sale.’”

“If a company is exchanging personal information for a benefit without disclosing it to customers and providing a way for them to opt out, they will be in violation,” said Clarke, who serves as president of compliance company Truyo. 

“The fact that this was the fine after settlement indicates there’s a very good possibility the fine was initially much higher.”

Clarke said the high figure of this initial fine means the next ones will be even harsher for companies that don’t settle or clearly remain in violation. 

The fines will escalate even further on January 1, 2023, when the California Consumer Privacy Act (CPRA) goes into effect and the 30-day period to cure sunsets.

“During [Wednesday’s] press conference Attorney General Bonta warned that ‘the kid gloves are coming off,’” Clarke said. “In other words, there’s no runway left for companies that aren’t following the law.”

Jeff Sizemore, chief governance officer at Egnyte added that it is now critically important for companies to correct deficiencies that are provided in cure notices by state data privacy authorities considering the expansion of data privacy laws across the U.S. over the last two years. 

“If your company does business in California, Virginia, Colorado, Utah or Connecticut, I encourage you to get prepared now for the new/updated legislation that will go into effect in 2023,” he said. 

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.