Sephora, Inc. recently became the target of California’s first public enforcement of the California Consumer Privacy Act (CCPA), and Attorney General Rob Bonta is signaling that more will follow. Companies doing business in California should learn from Sephora’s consumer data privacy missteps to avoid becoming the next focus of CCPA public enforcement.
On Aug. 24, 2022, Sephora settled with the Attorney General’s office after allowing third-party companies to create consumer profiles for targeted marketing, despite the fact that consumers were not given the right to opt out of this sale—a violation of the CCPA. To resolve these claims, the cosmetics chain agreed to pay $1.2 million, inform consumers that it sells their personal data, and honor consumers’ requests to opt out of such sales.
The investigation into Sephora began when the Attorney General’s office initiated an “enforcement sweep” in June 2021. By spot-checking more than one hundred online retailers’ compliance with CCPA’s opt-out rules, the Attorney General determined whether online retailers offered (and honored) consumers’ rights to opt out of the sale of their personal data. Sephora received notice that it was not compliant with the CCPA, but the company failed to fix the alleged violations after its thirty-day grace period, prompting further investigation.
According to Attorney General Bonta, this settlement should be considered a warning to all CCPA-covered businesses. “Today’s settlement with Sephora makes clear we will not hesitate to enforce the law,” he said. “It’s time for companies to get the memo, protect consumer data, honor their privacy rights.” Companies doing business in California should heed Bonta’s warning and get their privacy house in order. As they work to comply with the CCPA and the California Privacy Rights Act (CPRA)—which becomes effective January 1, 2023—businesses should learn from Sephora’s settlement to avoid becoming California enforcers’ next target.
Utilize—But Do Not Rely On—a Grace Period to Cure Noncompliance
Businesses should immediately cure their noncompliance when the Attorney General notifies them of law violations—but they should no longer rely on such a grace period. Whereas the CCPA required the Attorney General to provide businesses with 30 days to cure the violation before enforcing the law, the CPRA eliminates this requirement on January 1, 2023 and instead gives enforcers discretion on whether to provide a grace period.
In this case, the Attorney General notified a number of businesses that they failed to honor consumers’ opt-out requests and provided them with thirty days to cure their noncompliance. Sephora disregarded the warning—a $1.2 million mistake.
Since businesses may no longer expect a grace period to cure any shortcomings before the Attorney General brings an enforcement action, businesses should enter 2023 fully compliant with CPRA. Those that are fortunate enough to still receive notice of their noncompliance before being penalized should take full advantage of the opportunity, immediately curing their CPRA violations.
Know Whether You “Sell” or “Share” Personal Data
The CCPA and CPRA require businesses that “sell” or “share” personal information to give consumers the opportunity to opt out of this transaction. However, both terms are afforded somewhat nuanced definitions. “Selling” means transferring a consumer’s personal information to a third party for monetary or other valuable consideration. “Sharing” means transferring a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not for valuable consideration. Significant exceptions are baked into these definitions, allowing businesses that would otherwise “sell” or “share” personal data to do so without offering consumers the right to opt out.
The term “valuable consideration” has given many stakeholders pause, since this undefined term can determine a business’s legal liability. This action against Sephora demonstrates one such application. In the complaint, Attorney General Bonta alleged that Sephora installed third-party trackers in the form of cookies, pixels, software development kits and other technologies that automatically sent data about consumers’ online behavior to third parties. Sephora allegedly “sold” consumer data when it gave companies access to this data in exchange for free analytics and advertising benefits, without providing consumers the opportunity to opt out of the sale. Therefore, the term “valuable consideration” includes receiving information about a consumer’s activities and preferences.
Notably, this transaction between Sephora and the third parties would likely have been permitted if Sephora had a compliant service provider contract with each third party (under a common exception to a “sale”). However, Sephora failed to establish this relationship. Perhaps misapprehending the law’s requirements, the cosmetics company found itself without legal cover.
Businesses should learn from Sephora’s oversight and scrupulously examine the CPRA’s precise language and subsequent applications of these laws—particularly regarding “selling” and “sharing.” Many of the CPRA’s mandates include legal terms of art and exceptions, which include other terms of art and exceptions. As they enter 2023, businesses must fully grasp the law’s detailed requirements and comprehend how their current practices map onto these obligations.
Honor Opt-Out Requests via Global Privacy Controls
Businesses should review and test their technical procedures to ensure that Global Privacy Control (GPC) signals are honored. Initially, there was some uncertainty about whether the CCPA requires businesses to honor consumer opt-outs received via GPCs—plug-ins that allow consumers to universally opt out of the sale of their data across all websites. Subsequent CCPA regulations put the issue to rest: businesses must now treat user-enabled GPCs as a valid consumer request to opt out of the sale. However, Sephora’s website was not configured to detect or process any GPC signals and entirely disregarded these requests, in clear violation of this regulation. The Sephora settlement underscores the California regulators’ consistent emphasis not just on honoring GPC mechanisms, but also on consumers’ efficient management of their CCPA-established rights.
Businesses should learn from Sephora’s counterexample and, at very least, test their technical capabilities to process GPC signals. Taking it a step further, businesses should embrace the spirit of the settlement and empower their consumers to easily exercise their data rights. By ensuring that privacy disclosures are candid and clear, opt-out mechanisms are conspicuous, and links are fully operative, businesses can help mitigate the risk of public enforcement.
Sephora’s $1.2 million settlement should serve as a cautionary tale to businesses still honing their CCPA and CPRA compliance. Businesses should utilize a grace period if they are provided time to cure (although soon this will no longer be mandated), know how their data practices apply to the laws’ detailed requirements, and consistently honor consumer opt-out requests—including those made via GPCs. In so doing, businesses can minimize the odds of becoming the industry’s next source of “lessons learned” for CCPA and CPRA compliance.
 Cal. Civ. Code § 1798.155.
 Cal. Civ. Code § 1798.120.
 Cal. Civ. Code § 1798.140(ad).
 Cal. Civ. Code § 1798.140(ah).
 Cal. Code Regs. Tit. 11 § 7026(c).