“The complaint alleges that ‘[e]ach time Sephora failed to stop the sale of data to a third party, Sephora violated the law.’… Construing the meaning of ‘violation’ in this manner means that a website that has a relatively low number of visitors from California could see significant penalties.”
International cosmetics retailer Sephora has agreed to pay $1.2 million to settle allegations that the company failed to cure violations of the California Consumer Privacy Act (CCPA). The settlement is the first CCPA enforcement action resulting in financial penalties from the California Attorney General’s office and elucidates the Attorney General’s view of how the use of website analytics and advertising trackers involve “sales” of personal information.
A “sale” under the CCPA is defined broadly as the disclosure of a consumer’s personal information to another entity for monetary or other valuable consideration. In the Attorney General’s view, Sephora’s use of third-party trackers on its website and mobile application—such as cookies, pixels, and other technologies—involved the sale of personal information: Sephora provided personal information via these technologies to advertising networks and data analytics providers in exchange for analytics and advertising benefits from these companies.
When Sephora did not remedy the alleged violations within the 30-day notice-and-cure window permitted by the CCPA, the Attorney General initiated an investigation into the company’s practices. That investigation ultimately resulted in this settlement with the company more than a year later. Sephora did not admit liability or wrongdoing as part of the settlement.
The enforcement action and settlement provide insight into the Attorney General’s approach to the CCPA and offers some important lessons for businesses and brand owners.
Analytics and Advertising Cookies and Trackers Involve “Sales” of Personal Information. To the extent there was any doubt that the use of third-party analytics and advertising trackers on websites and mobile applications did not constitute a “sale” of personal information, the settlement in the Sephora matter reflects the Attorney General’s unequivocal view that these technologies intrinsically involve the sale of personal information. This is not a surprising conclusion given the examples of enforcement actions that the Attorney General published on its website last year and the guidance the Attorney General published that requires businesses to honor the GPC.
That said, when the CCPA was initially enacted, there was some debate as to whether the use of analytics and advertising trackers constitute a “sale” of personal information. Sephora’s decision not to cure the violations alleged by the Attorney General within the 30-day notice-and-cure window may reflect the fact that Sephora decided not to implement changes and instead potentially challenged the Attorney General’s position that the use of such technologies constitutes a sale, at least as an initial matter.
Honoring the GPC Is a Must. The Attorney General’s enforcement action also reiterates businesses’ obligation to honor the GPC. The text of the CCPA does not specifically mention the GPC, nor do the CCPA’s implementing regulations. Rather, the regulations make general reference to a “user-enabled global privacy control” that will allow consumers to signal their choice to opt out of sales of their personal information. In June 2021, the Attorney General issued guidance effectively interpreting those regulations as requiring businesses to honor the GPC as a valid consumer request to opt out of the sale of personal information. The Sephora settlement underscores the importance for businesses that use analytics and advertising trackers to build functionality into their websites to recognize and honor the GPC.
Take Advantage of the 30-Day Cure Period While You Can. Had Sephora addressed the Attorney General’s allegations of noncompliance within the 30-day cure period, the company presumably would have avoided financial penalties. As such, it is important for businesses to quickly respond to allegations of violations of the CCPA to avoid monetary fines and other penalties. Importantly, however, the notice-and-cure period will no longer be available to businesses when the California Privacy Rights Act (CPRA) takes effect next year. This makes compliance with the law from day one even more critical.
Update Contracts with Service Providers. One issue the Attorney General’s complaint makes clear is that Sephora could have avoided at least some of the issues concerning “selling” personal information by updating its contracts with analytics providers and advertising networks to qualify these entities as “service providers” under the law. Under the CCPA, disclosures of personal information to “service providers” do not constitute “sales” of personal information, but to qualify as a “service provider,” the service provider must agree to certain contractual limitations on how personal information can be used—which may be difficult, particularly for advertising networks that may use personal information to engage in cross-context behavioral advertising.
What Is a “Violation” of the CCPA? The CCPA provides financial penalties for noncompliance in the amount of $2,500 per violation and up to $7,500 if the violation is intentional. It is nearly impossible to glean how the Attorney General and Sephora reached the $1.2 million penalty in this case—indeed, there was likely significant negotiation between the parties regarding the final penalty value. But the Attorney General’s complaint sheds light on what constitutes a “violation” under the CCPA and the potential magnitude of financial penalties under the law. The complaint alleges that “[e]ach time Sephora failed to stop the sale of data to a third party, Sephora violated the law.” In other words, an alleged violation occurred each time a California resident visited Sephora’s website and was not presented with the option to opt out of a sale. Construing the meaning of “violation” in this manner means that a website that has a relatively low number of visitors from California could see significant penalties. For example, a website with 10,000 visitors from California could see financial penalties of up to $25 million (or even up to $75 million in the event that each violation is intentional) if the business engages in sales of personal information through analytics and advertising cookies and does not give consumers the opportunity to opt out. This reinforces the importance of complying with the law, particularly as the CPRA’s effective date is on the horizon.
Image Source: Deposit Photos
Image ID: 524642372