Sephora has been fined $1.2 million for selling consumers’ personal information without informing them first and not processing customer requests to opt out of sale of their data, in violation of the California Consumer Privacy Act (CCPA). California Attorney General Rob Bonta noted that the state informed Sephora of the data privacy violations following an investigation of online retailers but that the retailer failed to correct the issues within the 30-day grace period afforded by the CCPA.
In a statement regarding the settlement, Sephora did not admit to any wrongdoing and maintains that it has complied with the Attorney General’s guidelines.
In addition to the fine, moving forward Sephora must take the following steps to comply with the CCPA:
- Offer options, including through Global Privacy Control, for consumers to opt out of the sale of personal information;
- Ensure service provider agreements adhere to CCPA requirements; and
- Report to the Attorney General’s office regarding the company’s sale of personal information, service provider relationships and adherence to Global Privacy Control.
“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” said Bonta in a statement. “My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
In its statement, Sephora alleged that the CCPA included unclear language regarding how it defines the “sale” of data.
“Sephora respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience,” read the statement. “It is important to note that Sephora uses data strictly for Sephora experiences. However, the California Consumer Privacy Act (‘CCPA’) does not define ‘sale’ in the traditional sense of the term. ‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads. Consumers have the opportunity to opt out of this personalized shopping experience by clicking the ‘CA – Do Not Sell My Personal Information’ link on the footer of the Sephora.com website or by using a browser that broadcasts the Global Privacy Control.”
Legal issues surrounding data collection and sale are becoming more frequent as retailers prepare for restrictions on “cookies” and other passive data tracking tools. In April 2022, a former Illinois-based PetSmart employee filed a putative class action against the pet goods retailer alleging that the company violated Illinois’ Biometric Information Privacy Act (BIPA) by leaving employees open to identity theft after collecting their voiceprints.