Sephora and the CCPA, New Data Privacy Violations

Sephora and the CCPA, New Data Privacy Violations

On August 27, 2022, French multinational beauty retailer Sephora was ordered to pay $1.2m to settle claims that the company had violated the California Consumer Privacy Act (CCPA). According to documents that were filed in the Superior Court of the State of California, the company is alleged to have “granted third-party companies including advertising networks and data analytics providers access to its customers’ online activities in exchange for advertising or analytic services. This allegedly allowed these third parties to create profiles of netizens by tracking whether they, for instance, used a MacBook or a Dell, the brand of eyeliner they bought, or even which prenatal vitamins they added to their online shopping cart, as well as their precise location.”

To this point, the provisions of the CCPA state that consumers within the state of California retain the right to opt-out of the sale of any personal information they have submitted to a retailer such as Sephora. Subsequently, the allegations that were aimed at the company would effectively constitute a violation of the CCPA, as the beauty retailer did not obtain consent from Sephora customers prior to using their personal data to drive targeted advertising campaigns. Alternatively, a spokesperson for Sephora responded to these allegations by stating that the company “respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience”, while also stating that “Sephora uses data strictly for Sephora experiences.”

CCPA enforcement

While the CCPA was enacted almost four years ago in 2018, the civil penalties that were imposed on the beauty retailer Sephora this past Saturday signified the first instance of such punitive measures being levied against a business that was found to have violated the law. To this end, California Attorney General Rob Bonta has stated that he and his office have spent the last year probing businesses that operate within the state in an attempt to ensure that these businesses were adhering to the provisions established in the CCPA. Likewise, these findings uncovered that Sephora had been inconsistent with the ways in which they were actually protecting consumers versus what the company has stated publicly.

More specifically,  Bonta has been quoted as saying that “the state’s used browser extensions to monitor network traffic involving third-party advertising and analytics providers when visiting Sephora’s dot-com, and then looked at how that traffic changed when consumers turned on the Global Privacy Control (GPC) — essentially telling Sephora: do not sell my info. According to the court document, Sephora’s site ignored that signal.” For reference, the provisions of the CCPA mandate that businesses respect the choices of consumers as it relates to the collection, processing, retention, sale, or transfer of their personal information, irrespective of the ways in which they communicate these preferences to a company such as Sephora when browsing an online website.

Data privacy across the U.S.

In spite of the fact that numerous states around the country have passed comprehensive data protection laws in the last few years, including the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Privacy Act, among others, there have been very few enforcement decisions that have been imposed against businesses or organizations that have failed to comply with such legislation, as gathering the evidence that is necessary to successfully investigate a major company such as Sephora will obviously take some time. Nevertheless, the ways in which California Attorney General Rob Bonta systematically probed businesses within his state could provide other states with a blueprint that they can follow when looking to reduce occurrences of data privacy violations within their own jurisdictions.

Global Privacy Control

What’s more, the role that the Global Privacy Control played in California Attorney General Rob Bonta’s enforcement decision also has the potential to influence the ways in which major companies and corporations engage with consumers via their respective online websites. As stated by Forrester Research analyst Stephanie Liu “The Global Privacy Control has been an idea for a couple of years now, and it still hasn’t been widely adopted — it’s not in Google Chrome, for example. This clearly signals that the California AG takes it seriously and is already considering it to be valid as a form of opt-out.” In this way, the $1.2m that Sephora has been ordered to pay could impact the data privacy landscape across the U.S. for years to come.

On top of the $1.2m monetary penalty that the California Attorney General’s Office has ordered Sephora to pay, the beauty company is also responsible for clarifying “its online disclosures and privacy policy to make it clear that it sells data, and provide ways for netizens to opt-out of this, including via the GPC.” More importantly, however, the most recent enforcement of the CCPA represents a win for not only residents within the state of California, but also for millions of other people that reside within the U.S.’s other 49 states, as this legal ruling will likely set the precedent for future privacy violations in the years to come.