FTC & State AG

CCPA’s First Enforcement Action Highlights Global Privacy Controls  

Published: Aug. 25, 2022

Updated: Jun. 13, 2023

The Office of the California Attorney General (OAG) obtained its first settlement under the California Consumer Privacy Act (CCPA) — more than two years after the comprehensive law went into effect and set off a march of other state privacy laws. 

The online beauty product retailer Sephora agreed to settle charges for $1.2 million after allegedly failing to allow consumers to opt-out of the sale of their personal information — including by failing to honor opt-out requests made through global privacy controls. The company also agreed to a two-year monitoring program to ensure that it complies with relevant parts of the law (and the law’s amendments) going forward. 

The proposed settlement still must be approved by a court, and Sephora did not admit to any facts or liability. 

According to the Complaint, the charges stem from Sephora’s actions in June 2021 when Sephora took the position that it did not “sell” personal information under the CCPA’s definition. Because of that, the company did not implement procedures that would have been required under the CCPA if it had been selling personal information, such as providing a “Do Not Sell My Personal Information” link and informing users about the categories of information it sold and about users’ right to opt-out.  

In addition, Sephora did not provide other required methods of opt out — like respecting “user-enabled global privacy controls,” which allow users to signal through a browser extension that they want to opt-out of the sale of their information for any website they visit. Last June, the OAG took the position that businesses must honor one such popular tool called Global Privacy Control (GPC).

The CCPA defines “sale” as disclosing a consumer’s personal information to another business “for monetary or other valuable consideration.” In general, a business can transfer data to a service provider without triggering the CCPA’s sale requirements so long as appropriate contractual limits are placed on the service provider, including regarding re-use of the data.

The Complaint alleges that Sephora allowed “widely available” third-party trackers on its website and app, including cookies, pixels, and software developer kits. According to the Complaint, “Sephora gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits”— constituting a sale. The Complaint does not name any of these third-party companies, but it notes that Sephora did not have service provider contracts with them. 

The first-of-its-kind enforcement against Sephora started during the OAG’s “sweep of large retailers” to test compliance with the law. Companies should anticipate another sweep. In its press release, the OAG noted that it simultaneously sent notices to other companies about compliance with global privacy controls, giving them 30 days to cure. The OAG also released other new examples of enforcement notices that had been cured — relating to loyalty programs, hard-to-read privacy disclosures, and verification for opt-out and deletion requests, among other things.