Enforcement of California’s comprehensive privacy law began in earnest on Wednesday as the state’s attorney general (AG) Rob Bonta announced a $1.2 million settlement with French cosmetics chain Sephora.

As the first settlement or fine under the California Consumer Privacy Act (CCPA), the Sephora case is an interesting one, reiterating California’s new rules on cookies and browser settings that affect thousands of companies.

And as an enforcement action directed against a company based in France, the case sends a clear message to multinationals operating in the state.

#RISK register to attend speaker hero

Monitoring Consumers as They Shop

The clearest CCPA violation found by the AG was Sephora’s failure to fulfil the CCPA’s “Do Not Sell” requirements.

The AG’s complaint discusses Sephora’s use of tracking software that allows “third parties” to “monitor consumers as they shop”.

The complaint states that Sephora collects information about “the products that consumers view and purchase, consumers’ geolocation data, cookies and other user identifiers, and technical information about consumers’ operating systems and browser types.”

“Some of these third-party companies create entire profiles of users who visit Sephora’s website, which the third parties then use for Sephora’s benefit,” the complaint reads.

The complaint’s introduction discusses the harms of online surveillance in quite severe terms.

This includes a post-Dobbs reference to the possibility that tracking the purchase of certain Sephora products, namely “prenatal and menopause support vitamins”, could reveal the fact that a consumer is pregnant.

The passage makes it clear that the AG is getting serious about cookie enforcement.


‘We Do Not Sell Personal Information’

The CCPA’s headline provision requires businesses to enable consumers to opt out of “the sale of their personal information”. 

A “sale” includes the transfer of personal information to a third party for “valuable consideration”—characterised by the AG in his complaint as meaning “anything of value”.

“Sephora’s relationships with these third parties met that definition, because Sephora gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits,” reads the complaint.

Despite this, the company failed to provide a “Do Not Sell My Personal Information” facility on its website, as required under Section 1798.135. (a) of the CCPA.

In fact, as noted in the complaint, the company “did the opposite”, declaring in its privacy policy that it does not sell personal information.

There should be no doubt by now that the use of third-party cookies for marketing or even analytics purposes constitutes a “sale” under the CCPA. 

Beyond the definition itself, and subsequent comments by the AG, a list of case examples published by the AG’s office last July features several companies that were warned that their use of online tracking tools brings them under the CCPA’s scope.

→ #RISK:   Europe’s Leading Risk Focused EXPO - November 16 & 17, Excel, London

Risk is now everyone’s business


Service Provider Contracts

The AG’s complaint notes that Sephora “did not have valid service provider contracts in place with each third party.” 

Creating service provider contracts with its analytics providers could have helped Sephora escape the CCPA’s “selling” provisions—while still receiving many of the same benefits and not being required to offer users an opt-out.

When a business shares personal information with an entity under a valid service provider contract, the CCPA says the business is no longer “selling” that personal information. Instead, the business is sharing the information for “business purposes” performed by the service provider.

Among the seven categories of acceptable business purposes identified at Section 1798.140. (d) of the CCPA appear “providing advertising or marketing services” and “providing analytic services”.

Cynically, it might be noted that this is basically the same activity that the AG deems inherently problematic in his introduction to the complaint.

However, service provider contracts do come with some additional safeguards attached, including a prohibition on the re-use of personal information by the service provider.

And note that the California Privacy Rights Act (CPRA), which will take effect in January, will amend the CCPA to exclude “cross-context behavioural advertising” from the list of business purposes. This is one of the services Sephora received from its analytics providers.

Global Privacy Control

Perhaps the most significant element of the Sephora settlement is the fact that the company was penalised for failing to acknowledge opt-out signals sent via Global Privacy Control (GPC).

GPC enables a user to send a default “Do Not Sell” request to CCPA-covered businesses’ websites via their browser. GPC is a successor to protocols such as Do Not Track (DNT).

California’s older privacy law, the California Online Privacy Protection Act (CalOPPA), required website operators to disclose whether they honoured opt-out signals received via DNT. The CCPA goes further, requiring businesses to treat GPC signals as valid opt-out requests.

The first batch of CCPA Regulations noted that consumers could use a “browser setting” to make an opt-out request. Then in an FAQ document last July, the AG specifically cited GPC as an “acceptable method” by which consumers could signal their desire to opt out.

The AG’s complaint notes that, by failing to detect or process GPC signals, Sephora “wholly disregarded consumers who communicated to the company, via a global opt-out signal, that Sephora should not sell their personal information”.

Notice and Cure

Much to the displeasure of some privacy advocates, the CCPA provides a get-out-of-jail-free card for businesses that violate the law.

If the AG’s office hopes to bring a case against a non-compliant business, it must provide 30 days’ notice and enable the company to “cure” the violation within that period.

For whatever reason, Sephora did not fix the issues with its website within the time frame.

In hindsight, it should be clear to the company that it would have been wise to simply throw resources at the problem for a month. Anything less than $1.2m would have been economical.

A Warning to Multinationals

Finally, it is significant that the target of this enforcement action was not a Silicon Valley tech firm or any other Californian company but a French company whose website was accessible to California consumers.

Sephora is no minnow—the cosmetics giant’s 2021 global turnover was over $17bn, according to its earnings report. And the company does have retail outlets in California.

But the case should serve as a reminder of the importance of CCPA compliance for multinationals operating in California.

Incidentally, Sephora was also the target of cookie enforcement in France earlier this year when the French regulator declared the firm’s use of Google Analytics illegal. 

But that’s the way the cookie crumbles…

Injunctive Terms

Along with the $1.2m payment to the AG (which is not yet court-approved), Sephora has agreed to the following injunctive terms as part of its settlement:

  1. Allowing consumers to opt out of the sale of their personal information, including via GPC
  2. Clarifying its privacy policy, including by explaining its policy on selling personal information
  3. Putting valid service provider agreements in place
  4. Providing reports to the AG on the above

Managing a Multinational Privacy Program at #RISK

With an increasingly complex and demanding global patchwork of regulation emerging, managing a privacy program across jurisdictions can be a daunting task.

At #RISK, taking place at the ExCeL, London on Nov 16-17, we’ll be discussing how to implement a global data protection strategy that satisfies regulatory requirements across borders.