On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora, making it the first publicly announced CCPA enforcement action. The settlement offers important lessons about what California considers most significant in CCPA enforcement.
The Violations
The AG alleged two primary categories of violations:
1. Failure to Disclose Data Sales and Maintain Valid Service Provider Contracts
Sephora used third-party tracking technologies (cookies, pixels, and SDKs from advertising and analytics companies) on its website and mobile app. The AG alleged that Sephora’s sharing of consumer personal data with these third parties constituted a “sale” of personal data under the CCPA, a determination Sephora contested, but that Sephora failed to:
- Disclose to consumers that it was selling their personal information
- Provide a “Do Not Sell My Personal Information” link
- Enter into valid service provider agreements with the recipients of the data (which would have excluded the sharing from the definition of “sale”)
The AG’s complaint specifically noted that Sephora sold prenatal vitamins and other products that allowed recipients to infer health-related information about consumers, drawing additional scrutiny.
2. Failure to Process Global Privacy Control (GPC) Signals
The AG alleged that Sephora failed to honor Global Privacy Control (GPC) signals, browser-level signals that consumers can set to automatically opt out of the sale of their personal information. The CCPA requires covered businesses to treat GPC signals as valid opt-out requests.
This is a significant development: the AG expressly stated that “use the GPC is straightforward and should be considered a top priority for California businesses.”
Settlement Terms
Sephora agreed to:
- Pay $1.2 million in penalties
- Come into compliance with CCPA/CPRA obligations within two years
- Implement GPC signal processing
- Conduct annual compliance audits and report to the AG
Key Takeaways
1. GPC Compliance is an Enforcement Priority
The GPC violation was central to the AG’s case. Organizations subject to the CCPA must implement technical measures to detect and honor GPC signals. The Global Privacy Control specification provides technical guidance for implementation.
2. The “Sale” Definition is Broad
The AG’s position that Sephora’s use of advertising trackers constituted a “sale”, even without direct monetary payment, confirms that sharing data for advertising purposes is treated as a sale under California law. Organizations using third-party ad tech should carefully evaluate whether their practices constitute a sale and ensure appropriate disclosures.
3. Valid Service Provider Agreements Remain Critical
Had Sephora entered into valid CCPA-compliant service provider agreements with the recipients of its data, the sharing may not have constituted a “sale.” Organizations should review all contracts with ad tech vendors to ensure they include CCPA-required provisions.
4. Health-Inference Data Draws Extra Scrutiny
The AG specifically noted data that could reveal health-related information (such as prenatal vitamin purchases). With the CPRA’s expanded protections for sensitive data, organizations should be particularly careful about data that could reveal health conditions.
5. The 30-Day Cure Period is Ending
For violations occurring after January 1, 2023, the CPRA eliminates the 30-day cure period that existed under the original CCPA. The Sephora case was the last enforcement action in which businesses could cure violations before paying penalties.
For a comprehensive CCPA/CPRA compliance framework, see our earlier post, Winter Is Coming: 10 Steps Organizations Should Be Taking Now.
Need privacy guidance?
Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.
Contact Us