Enforcement of the California Consumer Privacy Act – Sephora’s Settlement
The California Consumer Privacy Act (“CCPA”) is changing the landscape for data privacy and protection in the United States. Not only is understanding the basics of this law important to compliance, but understanding how it will be enforced is as well. For example, the CCPA creates a number of rights for covered individuals, including the right to opt-out of the sale of personal information. A complaint filed by the California Attorney General against Sephora USA, Inc. in August of 2022 (viewable here) helps to clarify some of the applications of that right.
The Attorney General asserted in his complaint that there were a number of issues with Sephora’s CCPA compliance, including (in part) that it had not notified consumers that it sold personal information and that it had not recognized or facilitated their right to opt-out of such sales as required by the law. In so doing, the Attorney General made it clear that he defined “sale” broadly, noting in the complaint that “if companies make consumer personal information available to third parties and receive a benefit from the arrangement—such as in the form of ads targeting specific consumers—they are deemed to be ‘selling’ consumer personal information under the law.” The complaint then went on to assert that Sephora had not provided the required “easy-to-find” opt-out link nor had it “treat[ed] the GPC [Global Privacy Control signals, as enabled by consumers] as [an] opt-out of the sale of their personal information.” More information on Global Privacy Control signals can be found at https://globalprivacycontrol.org/
Though this case was settled, and keeping in mind changes to the CCPA by the California Privacy Rights Act (“CPRA”) that were made effective after the fact (including the expansion of the right to opt-out to also cover applicable “sharing” of personal information), such language is helpful for anyone seeking to comply with the CCPA – making it clear, for example, that covered businesses that engage in practices such as cross-context behavioral advertising need to take action to avoid the chance of a fate similar to Sephora’s.