California Attorney General orders first enforcement activity under the California Consumer Privacy Act (CCPA)

Ongoing Enforcement of the CCPA

On August 24, 2022, California Attorney General Rob Bonta ordered the first enforcement action under the California Consumer Privacy Act (CCPA), reaching a $1.2 million settlement with retail brand Sephora.

Sephora was found to have violated the CCPA in its sharing of consumer personal information with other businesses. This sharing of consumer personal information was considered a “sale” under the law.

The CCPA defines “sale” as the selling or transferring of a consumer’s personal information by a business to another business—or a third party in exchange for money or “other valuable consideration.”

Below we have a detailed breakdown of the violation and what companies should be doing to avoid similar enforcement activity.

 

After an enforcement sweep of online retailers…

Sephora ViolationsGeneral Privacy Remediation
1.       Failed to disclose to consumers that it was selling their personal informationProvide notice of the sale or sharing of personal information to consumers in a Privacy Policy, and give them the clear opportunity to opt-out of the sale
2.       Failed to process user requests to opt out of sale via user-enabled global privacy controlsWork with engineering and web development to create a method for tracking the GPC requests to opt-out of the sale of personal information
3.       Did not cure these violations within the 30-day period currently allowed by the CCPAUpon tracking the GPC requests, develop a workflow to process these opt-out requests within 30 days

 

The settlement required Sephora to pay $1.2 million in penalties

and comply with these injunctive terms:

Sephora’s Injunctive Terms
1.       Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data
2.       Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control
3.       Conform its service provider agreements to the CCPA’s requirements
4.       Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control

 

Sephora privacy policy, updated August 10, 2022 to address: Privacy Policy | Sephora

What are Global Privacy Controls (GPCs)?

  1. GPC is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.
  2. GPC is meant to be a legally binding request to all companies in places with applicable privacy laws.
  3. The CCPA gives California residents the right to opt out of having their data sold. By sending the GPC signal, Privacy Badger is telling companies that you would like to exercise your rights.
  4. GPC applies to everyone – the first-party sites you visit, and any third-party trackers they might invite in.

 

How to Detect GPC Signals

Where are GPCs addressed in the regulation?

California Consumer Privacy Act (CCPA) Regulations, Article 3, §999.315.(c) – Requests to Opt-Out

(Title 11 of the California Code of Regulations Section 999.315)

Share This Post
Share on linkedin
LinkedIn