California AG Imposes $1.2 Million Fine in Its First CCPA Settlement

On August 24, California Attorney General (AG) Rob Bonta announced that the Office of the Attorney General (OAG) has entered into its first settlement under the California Consumer Privacy Act (CCPA). The settlement, reached with Sephora USA, Inc., requires Sephora to pay $1.2 million and comply with several injunctive terms. According to the OAG’s announcement, its action against Sephora followed an “enforcement sweep” of online retailers conducted by the OAG.

Past CCPA Enforcement Activity

The OAG shares enforcement authority under the CCPA with the California Privacy Protection Agency, which was established in 2020 pursuant to the California Privacy Rights Act (CPRA), a law that substantially amended the CCPA. The OAG previously published a report on July 19, 2021 providing updates on its first-year CCPA enforcement activities, and it has continually updated an online list of examples of notices of alleged noncompliance (without naming parties) it has brought since the CCPA enforcement began on July 1, 2020. On January 28, 2022, the OAG also issued a press release announcing its particular investigative focus on businesses operating loyalty programs, reminding businesses that the CCPA generally prohibits discrimination against consumers for exercising any of their rights (e.g., the right to opt -out of the sale of personal information or the right to delete personal information). The Sephora enforcement action, however, notably marks the first CCPA settlement entered into by the OAG.

Sephora Settlement

In its complaint, the OAG alleged Sephora failed to cure several alleged CCPA violations within the 30-day cure period—which is currently available to companies but expires at year-end—under the CCPA. Specifically, the OAG alleged that Sephora failed to:

1. Disclose to consumers that it was selling their personal information;
2. Process user requests to opt out of sale requests via user-enabled global privacy controls;
3. Provide a clear and conspicuous “Do Not Sell My Personal Information” link enabling consumers to opt -out of the sale of their personal information; and
4. Provide two or more designated methods for submitting requests to opt -out.

The OAG also alleged Sephora violated California’s Unfair Competition Law by engaging in acts or practices such as “making false or misleading statements of facts concerning Defendants’ sale of consumers’ personal information and unfairly depriving consumers of the ability to opt-out of this sale.”

Sephora allegedly ran afoul of these requirements when, like other online retailers, it installed third party companies’ software on its website and app to track online consumer activity (which the OAG notably called commercial surveillance, the term used by the Federal Trade Commission in its recent advance notice of proposed rulemaking on consumer privacy and data security). These third parties, the OAG asserted, could track all types of data, including “in Sephora’s case, [creating] profiles about consumers by tracking whether a consumer is using a MacBook or a Dell, the brand of eyeliner or the prenatal vitamins that a consumer puts in their ‘shopping cart,’ and even the precise location of the consumer.” Some of these third-party tracking companies allegedly built behavioral profiles of users who visit Sephora’s website, which allowed Sephora to more effectively target potential customers. By receiving “personal information or other information such as analytics,” the complaint alleged, Sephora engaged in selling personal information by benefitting from the sort of “other valuable consideration” contemplated by the CCPA’s definition of “sale”.

The OAG further asserted that Sephora “did not have valid service-provider contracts in place with each third party, which is one exception to “sale” under the CCPA,’ suggesting that Sephora may have avoided this enforcement action had it contractually limited these third-party tracking companies to certain requirements, including, for example, the requirement to process personal information only for Sephora’s business purposes so as to render the third-party companies as “service providers” under the CCPA. This position is consistent with prior guidance issued by the OAG, which stated that “[t]he CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website.”

In addition to the $1.2 million fine imposed on Sephora, the settlement obligates Sephora to:

1. Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
2. Provide mechanisms for consumers to opt out of the sale of personal information;
3. Conform its service provider agreements to the CCPA’s requirements; and
4. Provide reports to the OAG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control. This will likely be the most onerous for Sephora to handle, and it will allow continuous AG oversight into the company’s practices. Under the terms of the settlement, the first report must be filed by February 20, 2023 (i.e., within 180 days of the effective date of the settlement) and for two years thereafter.

Looking Ahead

The OAG’s announcement of the settlement with Sephora suggests the OAG intends to be more aggressive in the coming months in enforcing the CCPA, with a heightened focus on businesses who engage in the sharing or selling of personal information to third parties for purposes of targeting advertising. Indeed, as the OAG noted in its announcement, “[a]s part of his ongoing efforts to enforce the CCPA, Attorney General Bonta also sent notices today to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the [Global Privacy Control].” The Global Privacy Control is a technical specification that empowers consumers with the ability to universally opt out of the sale of their data across all websites they visit, without having to manually reach out to each one.

Notably, the CPRA amendments to the CCPA, most of which will come into force on January 1, 2023, will likely provide even more grounds for enforcement of online tracking activities. The CPRA will provide consumers with the right to opt out of not only the sale of their personal information to third parties, but also the transfer of their personal information to a third party for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration." The term “cross-context behavioral advertising” is defined as "the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

Reminding companies that they will no longer benefit from a 30-day notice and cure period when the CPRA comes into effect, the AG warned: “[i]t’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.