CA Attorney General Settles With Online Retailer That Failed to Disclose "Sales" of Personal Information and Honor Global Privacy Control Opt-Out Requests

The Office of the California Attorney General (OAG) announced on August 24, 2022, a settlement with Sephora, Inc., as part of a recent enforcement sweep of online retailers. OAG alleged Sephora violated the California Consumer Privacy Act (CCPA) by failing to disclose to consumers that it was selling their personal information by "allow[ing] third-party companies to install tracking software on [Sephora's] website and in [Sephora's] app so that third parties [could] monitor consumers as they shop[ped]." OAG also alleged that Sephora failed to honor requests consumers made to opt out of sales via a global privacy control mechanism. OAG noted that Sephora had been given 30 days to cure the violations, as required by statute, but had failed to do so.

In its announcement about the settlement, OAG emphasized the need for online retailers to take responsibility for third parties that install cookies and other tracking mechanisms — such as cookies, pixels, and software development kits — on their websites and apps, noting that some of this software makes personal information available to the third parties in ways that constitute a "sale" of personal information under the CCPA. Here, by allowing third parties to install these technologies on its online properties, Sephora made this information available to these third parties who, in turn, used those trackers to collect consumers' personal information for the purpose of creating profiles about the consumers, based on what they purchased, what they considered purchasing, and their precise location. For instance, OAG noted in the complaint that "one widely-used analytics and software package" that Sephora installed allowed an analytics provider to collect personal information about shoppers' habits and activities, identify who those shoppers were by matching the information with data collected from other sources, and provide Sephora with valuable information about the shopper so that Sephora could target that shopper on the analytics provider's other networks. OAG explained that "Sephora's relationships with these third parties met the definition [of "sale" under Cal. Civ. Code Section 1798.140(t)], because Sephora gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits."¹

Under the settlement, Sephora must pay $1.2 million in penalties and take the following steps:

• Amend its online disclosures and privacy policy to make clear that it sells consumers' "personal information;"
• Provide consumers a mechanism to opt out of the "sale" of their personal information and honor requests made by consumers to do so via the Global Privacy Control;
• Modify its agreements with service providers to comply with the CCPA; and
• Report to OAG regarding its "sale" of personal information, its service provider relationships, and its efforts to honor the Global Privacy Control.

In its press release describing the settlement, OAG announced that it had also that same day sent new "cure" notices to businesses that it determined were not honoring consumer requests to opt out of "sales" via the Global Privacy Control. These businesses will have 30 days to cure the alleged violations.

Takeaways

• Prioritize compliance with the Global Privacy Control. Companies that have neglected to configure their online properties to honor signals from the Global Privacy Control are taking a significant risk. OAG can easily uncover companies' non-compliance by simply visiting a company's website and analyzing how it reacts to the presence of a Global Privacy Control signal. Consider making compliance a top priority.
• Take advantage of the opportunity to "cure" violations. The CCPA requires OAG to give companies notice and allow them 30 days to "cure" an alleged violation. Sephora was given that opportunity but failed to do so. The 30-day right to "cure" expires on January 1, 2023, but until then, companies should have processes in place to ensure that OAG notices are acted upon in a timely manner so that any alleged violations can be fixed. Curing alleged violations is also important because under the proposed rules that the California Privacy Protection Agency (CPPA) recently issued, previous findings of violations can serve as a basis for a CPPA investigation or audit.
• Reassess your information-sharing relationships with other entities. Assume that any information sharing with another entity that is not subject to a "service provider" agreement will be considered a "sale" of personal information. Review your existing relationships and ensure that service provider agreements ensuring compliance are in place, where needed.

FOOTNOTE

1  OAG complaint at paragraph 12: https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf