French retailer Sephora became the first company to be penalized under the California Consumer Privacy Act (CCPA) for not disclosing to consumers that it sells their personal information, failing to respect users’ Global Privacy Control as an opt-out, and neglecting to correct these infractions by the deadline. The $1.2 million penalty is part of a settlement, so while Sephora doesn’t have to admit to wrongdoing, it must pay the fine; rectify its data sharing policy, avenues to opt-out, and service provider agreements; and report on its progress to the attorney general. The Sephora case is significant because it:
- Clarifies a broad definition of “sale of data.” The Sephora settlement makes the definition of a sale clear: any exchange of data for value – not explicitly monetary value – qualifies. This expands requirements for respecting consumers’ “do not sell my information” requests and opens more companies to CCPA investigations – the attorney general already sent violation notices to other organizations acting similarly to Sephora. However, the debate over what constitutes a sale will be moot next year, when the CPRA goes into effect and gives consumers the right to opt out of the sale or sharing of their personal information.
- Is the first privacy-exclusive CCPA settlement. Typically, organizations are investigated for tangible, adverse events like a data breach. The Sephora case is the first CCPA settlement unrelated to a breach or security-related incident, setting the precedent that inadequate privacy compliance alone substantiates regulatory action.
- Will be the first of many cases. California’s Office of the Attorney General (OAG) has publicized its “enforcement sweep,” a series of ongoing investigations that notify noncompliant organizations, demanding they cure infractions within 30 days or face litigation. The sweeps have been thematic, targeting organizations with shared violations, business models, product/service offerings, etc. like the investigation of online retailers and enterprises with loyalty programs. To date, over 250 CCPA complaints have been filed and currently there are other suits waiting adjudication.
- Signifies the future of privacy regulations. California has the strongest US state privacy law to date. The issue of preemption in the federal privacy bill is becoming increasingly divisive, as California lawmakers (including, notably, Speaker of the House Nancy Pelosi) are unlikely to accept a federal bill that weakens protections for their constituents. Issues like sharing or selling data will become sticking points as the debate over a federal privacy bill continues.
Firm Up Your CCPA Compliance And Prepare For The CPRA
For marketers and privacy pros wondering what this decision means for their compliance roadmaps, make sure you:
- Reexamine your privacy policies and service provider agreements. Data sharing and selling are broad concepts under the CCPA, so if you are using third–party cookies, pixels, or SDKs on your site or app, these are all data sharing/selling practices that must be accounted for. Remember to review your third–party contracts, including service provider agreements, that govern what service providers can do with your customers’ data and must meet the OAG’s expectations.
- Respect consumers’ privacy choices through tools and policies. This case shed light on the Global Privacy Control (GPC) ,a browser-based opt-out signal, which Sephora failed to acknowledge. Companies must ensure that they not only provide consumers with means to exercise their data rights, but that they actually have the proper mechanisms in place for consumers’ privacy decisions to effectively impact how companies use, share, and store their data.
- Collaborate across the marketing, security, and risk functions. Don’t hem and haw over whether you’re selling data or not. Partner with your security & risk counterparts to examine your data flows and ensure not only that you’re complying with the law, but also minimizing risk to your organization.