First CCPA Enforcement Results in $1.2 Million Settlement Plus Injunctive Relief
On August 24, 2022, California Attorney General Rob Bonta announced the first public settlement for violations of the California Consumer Privacy Act (“CCPA”) – a $1.2 million settlement with beauty retailer Sephora to resolve allegations that Sephora had violated multiple CCPA requirements. The California Attorney General’s complaint against Sephora alleged that the retailer wrongly informed website visitors that it did not sell personal information and failed to provide an easily accessible “Do Not Sell My Personal Information” link on its website or in its mobile app.
Sephora Failed to Disclose It was Selling Customer Data
Sales of personal data under the CCPA are not limited to transfers of data in exchange for monetary payment. The CCPA broadly defines the sale of personal data as the exchange of personal information for anything of value. In Sephora’s case, consumers’ geolocation data and internet activity information was shared with Sephora’s third-party service providers, including advertising networks, business partners, and data analytics providers, in exchange for services.
Sephora Failed to Honor All Consumer Opt Outs
The CCPA requires businesses to allow consumers to opt out of the sale of their information through the use of Global Privacy Control (“GPC”) as well as by submitting a request directly to the business. The GPC is essentially a “stop selling my data switch” that is available on some browsers and broadly signals the consumer’s opt-out request to each website visited using that browser. In its investigation, the California AG found that activating the GPC had no effect on Sephora’s website and that consumer data continued to flow to the website and third party service providers.
Sephora also failed to post the “Do Not Sell My Personal Information” link on its website or in its mobile app. CCPA requires that the link be posted and easily accessible on the website, even if the business also allows consumers to opt out through other methods such as phone or email. Further, if consumers were able to opt out of Sephora’s sale of their data despite the lack of an opt out link and an ineffective GPC mechanism, Sephora continued to sell the personal data of these consumers to its business partners.
In connection with the Sephora settlement, the California AG announced that it will investigate several other unnamed companies to determine if GPC signals are being honored. While CCPA requires business to honor GPC signals, many companies have ignored this requirement and processed only individual opt-out requests submitted by consumers. The additional businesses under investigation will also have 30 days to cure any violations before potentially facing millions of dollars in liability. However, the notice and cure approach to enforcement will expire at the end of 2022 and future violations of CCPA (as amended and renamed the California Privacy Rights Act) will be enforced more harshly, with the California AG stating that the Sephora settlement should send a “strong message” to businesses that are still in violation of CCPA more than two years after the law went into effect.
The California AG also provided several new examples of notices to cure CCPA violations that can be used as a reference for businesses seeking to ensure their CCPA compliance. In one enforcement sweep, the California AG found that a business operating a fitness center chain offered an opt-out form in connection with the “Do Not Sell My Personal Information” link requirements that was too confusing in its use of unclear language and toggle options for the various opt-out rights. In another enforcement, a clothing retailer’s opt-out link only allowed consumers to manage their cookie preferences and did not include a method for opting out of the sale of their data.
For more information on how you can ensure your business is in compliance with CCPA requirements, please contact a specialist in Koley Jessen’s Data Privacy and Security Practice Area.