Governance & Risk Management , Government , Industry Specific
California Fines Sephora $1.2 Million for Privacy Violations
Retailer Accused of Selling Customer Data While Failing to Honor Opt-Out RequestsCalifornia has fined retailer Sephora $1.2 million for failing to comply with the state's privacy law.
As part of a settlement agreement, Sephora has also agreed to make a range of changes, including making it clear that it sells customers' data to others, as well as honoring customers' requests to opt-out of that.
The settlement resolves allegations by the state's Department of Justice that Sephora violated the California Consumer Privacy Act, or CCPA, which went into effect in July 2020.
Sephora, based in Paris, sells personal care and beatify products online as well as via more than 2,600 stores worldwide. Its U.S. subsidiary is headquartered in San Francisco.
"We reached a settlement with Sephora for failing to disclose that it was selling consumer data, failing to honor requests to opt-out of sale, and failing to fix these violations," says Attorney General Rob Bonta. "The CCPA has been in effect for two years. There are no more excuses. Follow the law, honor consumers' rights, and process opt-out requests made via user-enabled global privacy controls."
The office of California's attorney general says Sephora had been warned that it was violating CCPA and given 30 days to rectify the problems, but failed to do so.
Sephora Responds
"Sephora respects consumers' privacy and strives to be transparent about how their personal information is used to improve their Sephora experience," a spokesperson tells Information Security Media Group.*
"It is important to note that Sephora uses data strictly for Sephora experiences. However, the California Consumer Privacy Act does not define 'sale' in the traditional sense of the term. 'Sale' includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads."
The company says that now, "consumers have the opportunity to opt-out of this personalized shopping experience by clicking the 'CA – Do Not Sell My Personal Information' link on the footer of the Sephora.com website or by using a browser that broadcasts the Global Privacy Control."
The company also emphasized that it was not the victim of a data breach, and that the settlement "does not constitute an admission of liability or fault by Sephora."
Settlement Agreement
Under the terms of the settlement agreement, beyond paying the $1.2 million fine, the attorney general says the retailer must also:
- Clearly state via "its online disclosures and privacy policy" that it sells customers' data;
- Give consumers the ability "to opt out of the sale of personal information," including via the Global Privacy Control approach;
- Ensure all its agreements with all service providers stipulate that they must comply with CCPA rules;
- Provide regular updates to the attorney general detailing its approach to the "sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control."
Privacy Business Case
The Sephora settlement provides "concrete risk figures" for any organization that does business in California, as it builds its business case for addressing the privacy rules, says privacy expert Michelle Dennedy, CEO of software-as-a-service platform PrivacyCode.
Boom. 7 digit fines levied. Plus legal cost. Plus business disruption.
Plus building the required protections into the systems that should already be present.
If you are a privacy pro short on business case, here are some concrete risk figures. #PrivacyEngineering on pic.twitter.com/qPl4O55UOb— Michelle Finneran Dennedy, JD (@mdennedy) August 24, 2022
California's Privacy Probe Continues
Authorities say the probe of online retailers' privacy practices continues, and that notices were sent Wednesday "to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC."
The proposed GPC specification is designed to allow consumers to set a single "Do Not Sell" and "Object To Processing" flag. The CCPA mandates that all organizations that process California consumers' personally identifiable information offer such functionality.
Businesses contacted by the attorney general's office as part of the CCPA probe have 30 days to address the allegations before potentially facing sanctions.
But authorities warn that as of Jan. 1, 2023, the state will no longer be required to give suspected CCPA violators 30 days' notice to come into compliance. Instead, they may be immediately subject to enforcement actions.
*Update Aug. 25, 2022, 13:30 UTC: Adds comment from Sephora.