Sephora Fined $1.2 Million Over CCPA Violations
Article Highlights:
- First major fine for violation of the CCPA
- Sephora website had no method to opt-out of sale of personal information & no implementation of the Global Privacy Control standard
- Fines likely to be more common as the mandatory 30-day cure period expires
California Attorney General Rob Bonta announced that his office has recently settled a case with makeup retailer Sephora over a number of violations of the California Consumer Privacy Act (CCPA). The settlement requires Sephora to pay $1.2 million in penalties, as well as enact numerous measures to bring the business’s online operations into compliance with the CCPA.
“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” said Bonta. “It’s been more than two years since the CCPA went into effect….There are no more excuses.”
According to the Attorney General, the majority of violations were related to the sale of consumers’ personal information. Through a variety of tracking technologies, Sephora was sharing data about its website visitors with third parties in exchange for advertising and analytics services, an arrangement that is considered a “sale” under the CCPA. The company did not disclose this fact in its privacy policy, did not post a “Do not sell my personal information” link on its site, and offered consumers no way to opt out.
The Attorney General also heavily emphasized the role of Global Privacy Control (GPC) in CCPA compliance. GPC is a user-enabled signal sent by web browsers to function as an automatic opt-out request to the site being visited. Under CCPA regulations, online businesses are required to respect the GPC signal and treat it as they would any other consumer opt-out. As part of the settlement agreement, Sephora must implement a mechanism to honor opt-outs via the GPC signal.
Before seeking any penalties or injunctions, the Attorney General’s Office first sent a CCPA cure notice to Sephora. Cure notices are mandatory under the current version of the law, and give businesses 30 days to fix any alleged violations (which Sephora apparently failed to do). However, as the Attorney General noted, the CCPA provision that requires the state to send out cure notices is set to expire on January 1, 2023. Starting on that date, officials at the newly created California Privacy Protection Agency may skip the 30-day cure period and proceed directly to an administrative hearing and penalty assessment.
Any businesses left in doubt should consider Mr. Bonta’s words of warning: “My office is watching, and we will hold you accountable.”
Don’t Delay CCPA Compliance
The state’s action against Sephora marks a new point of maturity for CCPA enforcement, demonstrating that the law does, in fact, have teeth. Non-compliance has real consequences in the form of steep fines and expensive legal fees, and in the end the result is the same—your business must become CCPA compliant.
TrueVault Polaris gives small and medium-sized businesses access to the tools and expertise they need to become compliant on their own. First, businesses go through the initial onboarding process via a guided question-and-answer interface (think online tax software), which can be completed in as little as a few hours. The many diverse requirements such as incorporating GPC into your website are all accounted for. After that, Polaris makes staying compliant a simple task through process automations, privacy-request workflows, and other time-saving tools.
Contact our team to learn more and view a demo.