Ongoing Enforcement of the CCPA
On August 24, 2022, California Attorney General Rob Bonta ordered the first enforcement action under the California Consumer Privacy Act (CCPA), reaching a $1.2 million settlement with retail brand Sephora.
Sephora was found to have violated the CCPA in its sharing of consumer personal information with other businesses. This sharing of consumer personal information was considered a “sale” under the law.
The CCPA defines “sale” as the selling or transferring of a consumer’s personal information by a business to another business—or a third party in exchange for money or “other valuable consideration.”
Below we have a detailed breakdown of the violation and what companies should be doing to avoid similar enforcement activity.
After an enforcement sweep of online retailers…
| Sephora Violations | General Privacy Remediation |
| 1. Failed to disclose to consumers that it was selling their personal information | Provide notice of the sale or sharing of personal information to consumers in a Privacy Policy, and give them the clear opportunity to opt-out of the sale |
| 2. Failed to process user requests to opt out of sale via user-enabled global privacy controls | Work with engineering and web development to create a method for tracking the GPC requests to opt-out of the sale of personal information |
| 3. Did not cure these violations within the 30-day period currently allowed by the CCPA | Upon tracking the GPC requests, develop a workflow to process these opt-out requests within 30 days |
The settlement required Sephora to pay $1.2 million in penalties
and comply with these injunctive terms:
| Sephora’s Injunctive Terms |
| 1. Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data |
| 2. Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control |
| 3. Conform its service provider agreements to the CCPA’s requirements |
| 4. Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control |
Sephora privacy policy, updated August 10, 2022 to address: Privacy Policy | Sephora
What are Global Privacy Controls (GPCs)?
- GPC is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.
- GPC is meant to be a legally binding request to all companies in places with applicable privacy laws.
- The CCPA gives California residents the right to opt out of having their data sold. By sending the GPC signal, Privacy Badger is telling companies that you would like to exercise your rights.
- GPC applies to everyone – the first-party sites you visit, and any third-party trackers they might invite in.
How to Detect GPC Signals
Where are GPCs addressed in the regulation?
California Consumer Privacy Act (CCPA) Regulations, Article 3, §999.315.(c) – Requests to Opt-Out
(Title 11 of the California Code of Regulations Section 999.315)
