CPPA Regulation in Full Swing After Recent Sephora Lawsuit
While news broke earlier this month that French multinational beauty care products retailer Sephora was being hit with a $1.2 million fine for violating the California Consumer Privacy Act (CCPA), they were far from the only company that has drawn the ire of current California attorney general Rob Bonta. This being said, as been widely reported by various news sources during the past few weeks, “More than 100 public and private companies received letters from California Attorney General Rob Bonta as part of the 2021 sweep of large retailers that led to the Sephora settlement, and many more letters have gone out to comparable businesses in recent weeks as part of a new sweep, according to a spokesperson for the attorney general’s office.”
Subsequently, while the CCPA was initially passed in 2018, the law did not go into effect until 2 years after in 2020. For this reason, many businesses that currently serve customers within the state of California have failed to adequately prepare themselves for the new restrictions and stipulations that will be imposed upon them moving forward. As a result of these new developments, some companies that have been contacted by Bonta have already begun making strides toward maintaining compliance with the new law. However, there are still many other businesses that are under investigation at the current moment.
Complying with the CCPA
To this last point, in spite of the fact that a spokeswoman for Sephora has confirmed that the beauty retailer began working with the California Attorney General’s office in 2021 when the company was informed that they were under investigation, they were still hit with a multi-million dollar fine for violating the CCPA. More specifically, Sephora was accused of having granted third-party companies access to the personal information of the businesses’ multitude of customers, which included location data and specific information concerning the products and services that customers purchased when browsing the internet, among other things.
To this end, the provisions of the CCPA forbid businesses from selling the personal information of California residents without first obtaining consent from said residents. What’s more, businesses that collect personal data from California consumers must also ensure that the purposes for which they use such information are consistent with the explanation that was provided to consumers at the time in which their personal information was collected. Nevertheless, large-scale retailers such as Sephora, as well as social media companies such as Meta and Instagram, frequently use the personal data of their customers in order to deliver targeted advertising campaigns to other consumers.
The scope and size of a business
On the other hand, there have also been a host of other businesses that operate within California that have failed to maintain compliance with the law. However, in contrast to massive corporations such as Sephora, these other companies have disregarded the law under the guise of their businesses being too small to apply to the stipulations of the CCPA. To illustrate this point further, many small and mid-sized businesses that operate within California have been led to believe that the provisions of the CCPA would not apply to them. For reference, the overwhelming majority of U.S. states have yet to enact legislation such as the CCPA, meaning that many practices that have been outlawed within California are perfectly legal in other states.
On top of this, the language of the CCPA has also led some companies to violate the law unknowingly, as the term “sale” encompasses any transfer of personal information that a business has obtained from a customer to a third party, irrespective of whether or not money was exchanged during the process. In this way, the CCPA has also altered the means by which businesses can market their products within the state of California, as maintaining compliance with the law would entail these companies confirming that they sell the data of prospective customers in accordance with the way in which the term “sell” is defined under the law.
The General Privacy Control (GPC)
Alternatively, consumer use of the Global Privacy Control (GPC) within California, a “specification designed to allow Internet users to notify businesses of their privacy preferences”, has further complicated the compliance process for businesses looking to abide by the provisions of the CCPA. For context, the CCPA was amended last year to require businesses to recognize the GPC preferences of California consumers, meaning that any businesses that fail to adhere to the specific preferences that a particular consumer has established when using the online site of a given business will have effectively violated the law. For example, a consumer could set their GPC settings to “Do Not Sell” when using a particular website, and businesses must honor these preferences in order to maintain compliance with the CCPA.
As the U.S. is very much behind the rest of the world in many respects as it concerns personal privacy and data protection legislation, states around the country may very well follow the lead of California as it relates to state-level laws that are geared toward protecting consumers from invasions of privacy. Due to this fact, many businesses that serve customers across multiple U.S. states will have to begin changing their data collection and tracking practices, as actions there are permissible in one state may be deemed illegal in another state in the upcoming years, as issues regarding personal privacy continue to at the forefront of everyone’s mind.