What Sephora’s $1.2 Million CCPA Settlement Signifies for Brands

In its first enforcement action under the online privacy law, California reached a $1.2 million settlement with retailer-brand Sephora last week. Although the company was found to have violated the California Consumer Privacy Act (CCPA), Sephora’s point of contention came from the loose definition of the term "sale" under the law, where CCPA doesn't define sale in the traditional sense of the term, the company told Adweek. The Act defines “sale” broadly as the selling or transferring of a consumer’s personal information by a business to another business—or a third party in exchange for money or “other valuable consideration.” “The problem with almost all existing privacy regulations—GDPR or CCPA—is how loosely written they are, which doesn’t really help anyone. But, as with this case, we needed to start somewhere in order to progress,” said customer data platform BlueConic’s president Cory Munchbach. While the settlement does not require Sephora to admit liability or wrongdoing, it is a reminder of the law's loose definitions, which have created confusion within the digital advertising industry. Although the California Privacy Rights Act (CPRA)—going into effect January 1, 2023—addresses many of these confusions, companies should nonetheless monitor their websites and data flow for advertising purposes. Here's what brands can learn from the settlement. Treat GPC signals as opt-out of sale request In June 2021, California’s Attorney General Rob Bonta ordered a sweep of large retailers to see whether they continued to sell personal information, after people had signaled to opt-out via the Global Privacy Control (GPC). The purpose of the GPC is to inform websites not to sell user data. As a part of the investigation, the AG found that data from Sephora’s website continued to flow to third-party companies, including advertising and analytics providers, when GPC was activated—even when a California resident signaled to opt-out. “The industry was always a bit unclear about the obligation to treat all GPC signals as an opt-out of sale request,” said Gary Kibel, a privacy and data security lawyer of Davis and Gilbert. “This settlement makes it very clear that the Attorney General's Office feels that publishers absolutely must treat GPC signals as [people’s] opt-out of sale request.” Sephora also allegedly failed to comply with several other CCPA obligations, like failing to tell California residents that it sold personal information to third parties—and that they have the right to opt-out of that sale. According to Bonta, the company only noted that it “shared” personal information and provided people with a link to see what information was shared. On clicking that link, a Sephora message read “that we do not sell personal information.” Sephora allegedly failed to post a “Do Not Sell My Personal Information” link on its website and in its mobile app, as well as provide another means of opting out. The company also allegedly sold people’s personal information despite people opting out. Woolly definitions won't hold back regulators While Sephora may have violated certain CCPA rules, the company countered by calling into question the use of the term "sale". The California law “does not define 'sale' in the traditional sense of the term,” Sephora previously told Adweek. “It is important to note that Sephora uses data strictly for Sephora experiences.” The CCPA’s broad definition of "sale" does not limit it to the selling of personal information by a business to another business or third party for monetary compensation, said Cobun Zweifel-Keegan, managing director, Washington, D.C. for The International Association of Privacy Professionals (IAPP), but also for discounted tools or services, such as analytics. Sephora may have slipped up in not having clear, valid service-provider contracts with third parties that state that data collected by the service provider is for the benefit of Sephora, said Keegan. According to Bonta, Sephora “installed and used other widely available advertising and analytics services from companies where it had the same fundamental deal: Sephora allowed the third-party companies access to its customers’ online activities, in exchange for advertising or analytic services.” The AG alleged that the company knew that these third parties would collect personal information when Sephora installed or allowed the installation of the relevant code on its website or app. As per the court document, the brand also knew that it would receive discounted or higher-quality analytics and other services derived from the data about people’s online activities, including the option to target ads to people that had merely browsed for products online. More fines to come Bonta’s office has sent out more than 100 notices of CCPA non-compliance to other companies in tech, health care, retail, fitness, data brokerage and telecom industries. Why Kochava? FTC Salvo Against Data Broker Puts Mobile Ad Tech on the Defensive These companies have 30 days to address the alleged violations or will otherwise face enforcement action from the Attorney General, Bonta said in a statement. This means it’s not just the big tech companies that need to worry about privacy compliance—but any company that interacts with consumers, according to Keegan. He added that companies should take a closer look at their websites and all third parties that collect data from these sites, while monitoring data flow for advertising purposes.