California Attorney General Bonta announced that Sephora, the cosmetic retailer, has agreed to pay $1.2 million to settle allegations that the company failed to comply with the California Consumer Privacy Act of 2018 (“CCPA”).
The Attorney General’s complaint asserts that Sephora failed to inform consumers that it was selling their personal information to third parties. Sephora also purportedly failed to process consumer requests to opt out of Sephora’s sale of their personal information. Specifically, the complaint alleges that Sephora neglected to honor opt-out requests that were submitted to Sephora via a privacy tool called a Global Privacy Control, which is a third-party browser-setting that automatically opts the consumer out of the sale of personal information on each website that the consumer visits.
Since Sephora sold consumers’ personal information to third parties, the company was obligated to alert consumers of its practices and to offer an opt-out option. Per the CCPA, the Attorney General provided Sephora with 30-days’ notice to cure its violations. However, Sephora failed to act within the statutory period.
The Sephora case demonstrates that companies interacting with consumers in California must understand and comply with the requirements of the CCPA or risk significant monetary penalties for noncompliance. It’s important to dial-in CCPA compliance now, because on January 1, 2023, the CCPA will be amended by the California Privacy Rights Act, which will no longer include a 30-day opportunity to cure violations and stave off penalties.
Browse all tags: