By: Madeleine V. Findley and Effiong Ok. Dampha
On August 24, 2022, California Lawyer Common Rob Bonta introduced a $1.2 million settlement with cosmetics retailer Sephora Inc. (Sephora), the primary public enforcement motion beneath the California Shopper Privateness Act (CCPA). The settlement resolved allegations that Sephora didn’t disclose it was promoting customers’ private data, didn’t honor opt-out requests from user-enabled international privateness controls, and didn’t remedy these violations inside 30 days, as required by CCPA. The settlement is a part of “an enforcement sweep” of on-line retailers and their use of third-party monitoring software program on web sites and cellular apps. The Lawyer Common concurrently introduced a brand new “investigative sweep” targeted on whether or not companies are complying with opt-out requests from user-enabled international privateness controls. Lawyer Common Bonta underscored his dedication to “sturdy enforcement” of California’s privateness regulation, stating “My workplace is watching, and we are going to maintain you accountable.”
Sephora Settlement for Failure to Disclose Third-Occasion Monitoring and Honor Choose-Out Requests
In keeping with the Lawyer Common, Sephora allowed third-party corporations to put in cookies and different monitoring software program on its web site and in its app that collected information about customers, together with the kind of system a client used, the model of beauty product the buyer positioned within the purchasing cart, and the buyer’s exact location. The Lawyer Common discovered this information sharing to be a sale of client data, and that Sephora had didn’t notify customers of the sale and supply an opt-out or to honor opt-out requests by way of international privateness controls.
The settlement required Sephora to pay $1.2 million in penalties and to:
- make clear its on-line disclosures and privateness coverage to state that it sells information,
- present choose out mechanisms, together with by way of the International Privateness Management, and
- conform its service supplier agreements to the CCPA’s necessities.
The settlement additionally required Sephora to offer standing studies to the Lawyer Common on its progress on every of those obligations.
Notices of Non-Compliance with International Privateness Controls
The Lawyer Common additionally introduced a “new investigative sweep” targeted on compliance with international privateness controls. As a part of this “sweep,” the Lawyer Common despatched notices of non-compliance on August 24 to over a dozen companies regarding their alleged failure to course of client opt-out requests made by user-enabled international privateness controls, such because the GPC. After quietly including an FAQ concerning the GPC to the AG’s CCPA webpage in 2021 that the GPC “have to be honored” as a request to choose out of the sale of non-public data, the AG’s actions sign an more and more aggressive enforcement strategy. Companies that obtain a discover could have 30 days to remedy their noncompliance—however this proper to remedy will expire when the California Privateness Rights Act turns into efficient on January 1, 2023. The brand new spherical of notices makes clear that the Lawyer Common’s expectation that companies will honor user-enabled international privateness controls.
Further Case Examples
The Lawyer Common additionally up to date the CCPA Enforcement Case Examples webpage for the primary time since July 2021 with 13 new case summaries. These embrace failure to honor client choose out requests, failure to appropriately disclose monetary incentives in loyalty packages, flaws in responding to client requests to entry or delete private data, and non-compliant privateness insurance policies. The companies concerned ranged from telehealth suppliers to fintech to health chains.
In a press assertion, Lawyer Common Bonta emphasised his view that the Sephora settlement would “ship a robust message to companies,” and famous “there are not any extra excuses” for not complying with CCPA. The settlement, case examples, and new spherical of notices mirror an more and more sturdy give attention to implementing California privateness regulation, and pose extra compliance challenges as companies put together for the California Privateness Rights Act to take impact in 2023.
 Press Launch, Cal. Dept. of Justice, Lawyer Common Bonta Publicizes Settlement with Sephora as A part of Ongoing Enforcement of California Shopper Privateness Act (Aug. 24, 2022), https://oag.ca.gov/information/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement (AG Bonta Press Launch)
 AG Bonta Press Launch
 AG Bonta Press Launch; California v. Sephora, Inc., Case No. CGC-22-601380 (Cal. Sup. Ct. Aug. 24, 2022), out there at https://oag.ca.gov/system/recordsdata/attachments/press-docs/Filed Judgment.pdf