Today, the California Attorney General announced the first settlement agreement under the California Consumer Privacy Act (“CCPA”). The Attorney General alleged that online retailer Sephora, Inc. failed to disclose to consumers that it was selling their information and failed to process user requests to opt out of sale via user-enabled global privacy controls. The Attorney General also alleged that Sephora did not cure these violations within the cure period.
The meaning of the CCPA’s “sale” definition has been controversial and unclear. The CCPA statute defines the term to require an exchange of personal information for “monetary or other valuable consideration.” The Attorney General previously declined to clarify whether the term covered various advertising practices in its earlier rulemakings, and the CPRA voted on by the California electorate clarifies that “sales” are distinct from “cross-context behavioral advertising.” However, the Attorney General’s complaint suggests that Sephora’s relationships with certain ad tech partners met the definition of “sale” “because “Sephora gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits. . . . Both the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA.” However, the complaint also acknowledges that maintaining a valid service provider contract with a vendor is an exception to the “sale” definition.
The complaint also reveals that, in June, the Attorney General conducted “an enforcement sweep of large retailers to determine whether they continued to sell personal information when a consumer signaled an opt-out via the GPC.” The Attorney General’s press release on the settlement suggests that “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the ‘Do Not Sell My Personal Information’ link.” Without recognizing open questions about the GPC and its status under the CPRA, the press release also states, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights [and businesses must] process opt-out requests made via user-enabled global privacy controls.”
The settlement requires Sephora to pay $1.2 million in penalties and comply with injunctive terms, including adding a representation that it sells data in its online disclosures and privacy policy, creating mechanisms for consumers to opt out of sale (including via the GPC), editing its service provider agreements to conform with CCPA requirements, and providing reporting to the Attorney General on its compliance with these requirements.
In addition to announcing the Sephora settlement today, the Attorney General also sent notices to a number of businesses alleging non-compliance related to a failure to process consumer opt-out requests made via user-enabled global privacy controls. The Attorney General also released additional enforcement case examples, including an enforcement sweep of loyalty programs and allegations of noncompliance due to confusing or non-functional CCPA request mechanisms.