Database examples

California AG Evaluates First CCPA Sanction and Announces New Enforcement Examples | Knowledge

California Attorney General (CA AG) Rob Bonta announced on August 24, 2022 that his office has reached an agreement with Sephora Inc. (Sephora) to resolve allegations that the manner in which Sephora used third-party tracking technologies violated the California Consumer Privacy Act (CCPA). The action is the AG’s first formal complaint under the CCPA, which went into effect on January 1, 2020. If approved, the settlement will require Sephora to take immediate action to comply with the law, to carry out regular compliance assessments for two years. and pay a $1.2 million fine.

The allegations against Sephora

The complaint alleges that Sephora installed certain analytics and advertising cookies and other tracking technologies on its website and mobile applications that enabled providers of such technologies to track Sephora user activity, including on products. viewed or items added to shopping carts. These third-party vendors then matched user activity collected on Sephora’s website and apps with data they collected from other sources to help Sephora identify customer targets and offer them advertisements on other Internet properties. The nature of the products sold by Sephora meant that third parties could infer information about an individual that could be considered highly personal – for example, the third party would know that an individual had purchased prenatal vitamins from Sephora.

Although Sephora took a position in its privacy policy on its website that the company does not “sell” personal information, the AG’s office argues in the complaint that allowing third parties to collect personal information via cookies was actually a sale of that personal information. This sale resulted in an obligation for Sephora to provide consumers with the ability to opt out of such disclosures. Sephora violated the CCPA, according to the AG, first in that it failed to post a “Do Not Sell My Personal Information” link on its website and mobile applications that could be used by consumers wishing opt out, and secondly that its website failed to detect and address opt-out signals sent by browsers where the user had Global Privacy Control (GPC) enabled.

Sephora could not claim that the advertising and analytics partners were service providers – which would have rendered the disclosures not a sale – because it did not have “valid” contracts in place with these partners that met the requirements set out in the CCPA for a service. supplier contract. The complaint does not name the third parties whose cookies were running on Sephora’s website.

Execution action

According to the complaint, CA AG identified an early potential violation of the law by Sephora through an “enforcement sweep” of major retailers that began with an analysis of whether their websites complied. GPC. This led CA AG to dig deeper into Sephora’s privacy notice and opt-out processes, during which additional issues emerged. Sephora was made aware of these violations and failed to remedy them within 30 days.

In addition to claiming violations of the CCPA and its regulations, the complaint includes one count of violation of California’s Unfair Competition Act, alleging that Sephora’s privacy policy contained false or misleading statements and that consumers have been deprived of their ability to withdraw from the sale. personal information.

In addition to the website and mobile app fix and monetary fine, the settlement requires Sephora to conduct annual assessments to determine whether it is effectively handling consumer requests to opt out of selling their personal information. for a period of two years and to submit these assessments. at the office of CA AG. Sephora must also document the entities with which it shares personal information and, if it considers them to be service providers, confirm in a report to be provided to CA AG that appropriate contractual arrangements are in place.

Additional application examples

As we reported in a previous Holland & Knight article, “California Attorney General Previews Enforcement Strategy,” the AG first released examples of its enforcement activities in July 2021 – around the same time. when the complaint states that Sephora was made aware of its alleged violations.

Along with the announcement of the Sephora settlement, the CA AG office updated its public list of examples of cases in which CCPA non-compliance notices were issued. Of the 13 examples provided, 10 involved some sort of failure to properly offer consumers the right to opt out of the sale of their personal information. Some alleged failures were total: the company did not publish the required deactivation link and/or did not honor GPC. Others related to the way the opt-out choice was presented – for example, the companies’ presentation of options was confusing or required the consumer to take additional action, or the company did not accept requests from authorized agents. . Several examples also cited deficiencies in the privacy notices, such as incorrect or misleading statements about company practices related to the sale of personal information and/or the process for submitting right-to-know or right-to-know requests. removal, such as failure to provide two designated methods or describe the process for verifying the claim. Two examples cited the failure to provide training to employees who handled consumer privacy requests.

Take away food

  • The deployment of third-party cookies and pixels on a website to collect information about a visitor’s activities on the website will likely be viewed by CA AG as selling personal information to the third party, subject to opt-out requirements. . Although a company may be able to avoid offering an opt-out by treating the party as a service provider, a legally compliant contract limiting the use of personal information must be in place for this to work. . Sephora’s complaint suggests that CA AG is (at a minimum) skeptical of the standard contract terms that come with “widely available advertising and analytics” tools. Businesses, especially online retailers, therefore need to have a detailed understanding of the data flows that occur on their online properties and how third parties use the collected data.
  • The CA AG believes that compliance with signals sent by browsers using GPC is a requirement of current state law. Although this is an aggressive reading of the law,1 widespread adoption of GPC is clearly expected by the California Privacy Rights Act as of January 1, 2023, and appears to be required by new privacy laws in Colorado and Connecticut in the coming years. Companies that have not yet adopted the standard should do so.
  • Errors in the presentation of consumer rights processes – whether right to know/remove or opt-out – are easy for a regulator to identify. Once a potential issue is on the regulator’s radar, it can lead to a thorough investigation of a company’s privacy program, which can lead to the identification of larger issues.


1 A blanket opt-out is not referenced in the CCPA and is only required under the CPRA Law Amendments if a business does not wish to provide a Do Not Sell link to opt out of the sale of personal information. .