The California AG’s proposed settlement with Sephora is part of a broader enforcement sweep of large online retailers launched by the agency in June 2021 to investigate whether retailers continue to sell personal information when a consumer opts-out through the Global Privacy Control (GPC).
Through the GPC, consumers can download a browser that will signal to every website they visit that they wish to exercise their legal privacy rights without having to click on an opt-out link for each individual website they visit. Under the CCPA, companies must adhere to opt-out requests made by user-enabled GPCs.
Through its broad enforcement sweep, the California AG discovered that Sephora, like many other online retailers, installed third-party tracking software on its website and in its app that enabled third parties to monitor consumers’ shopping habits, which allow retailers like Sephora to more effectively target potential customers, the California AG stated.
“When a company like Sephora utilizes third-party tracking technology without alerting consumers and giving them the opportunity to control their data, they deprive consumers of the ability to limit the proliferation of their data on the web,” the California AG stated in its complaint, filed Aug. 23 in the Superior Court of California.
“Sephora’s arrangement with these companies constituted a sale of consumer information under the CCPA, and it triggered certain basic obligations—such as telling consumers that they are selling their information and allowing consumers to opt-out of the sale of their information. Sephora did neither,” the California AG stated in its press release. Sephora further failed to remediate these violations within the 30-day period required by the CCPA, the agency stated.
Settlement terms
Under the terms of the proposed settlement, announced by the California AG Aug. 24, Sephora must also implement the following compliance measures:
- Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
- Provide mechanisms for consumers to opt out of the sale of personal information, including via the GPC;
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the attorney general relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor GPC.
In a statement, California AG Rob Bonta said he hopes the Sephora settlement “sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”
AG Bonta further warned that, two years into the CCPA taking effect, companies can no longer avoid liability simply by remediating CCPA violations after being caught. “There are no more excuses,” he said. “Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
The California AG has several other companies in its sight. On the same day it announced its proposed settlement with Sephora, the agency said it sent notices to a number of other companies, in which it alleges noncompliance with the CCPA relating to their failure to process consumer opt-out requests. Recipients of those letters have 30 days to remediate the alleged violations or face an enforcement action. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.