A beauty retailer pays $1.2 million fine for CCPA violation. It’s all about using third-party analytics on its website. Learn more with us.
This August of 2022, the California Attorney General imposed a fine of $1.2 million under the California Consumer Privacy Act (CCPA) first time ever. This is the sum the beauty retailer Sephora Inc. will pay for the CCPA violation. Specifically, Sephora failed to disclose to consumers that it was selling their data, failed to process users’ opt-out requests, and did not cure these violations within 30 days, the California Attorney General alleged.
The case is notable for several reasons. It marks the first time the Attorney General has imposed civil monetary penalties for CCPA violations. For consumers, the case demonstrates that California takes privacy seriously and that the CCPA has enough power to enforce the stated requirements. For businesses, the fine shows the unforgiving nature of the regulatory landscape.
The timing is also important. The CCPA will be amended in 2023 with the California Privacy Rights Act (CPRA). Hence, there will have more strict security and privacy demands. The precise list of upcoming changes we analyzed in the article CCPA vs. CPRA: the Upcoming Changes to the Law. In this article, we will try to establish the main details of the Sephora data sale case.
Continue reading to get important takeaways for updating your compliance program in preparation for the CPRA.
The settlement with Sephora underscores the critical obligations businesses have to protect the privacy of their consumers. Like most other online retailers, Sephora used third-party tracking software and apps to monitor consumers’ website activity. These include common analytics tools and advertising cookies. They enable third parties to create consumer profiles by tracking types of devices used by consumers, the items they put in their “shopping cart,” a precise location, and other personal information.
Under CCPA, providing third parties [read: providing of data analytics] with access to customers’ data in exchange for services from those entities is a sale of consumer information. This activity imposes certain obligations. Sephora must inform consumers that it is selling their information and allowing them to opt-out of the sale. It is also possible to avoid qualifying these data transactions as sale by signing service-provider contracts with third parties. However, neither was done by Sephora.
Although the settlement is in its final stage, several open questions remain. Assuming the Attorney General was referring to Google Analytics as a tracking tool, did Sephora rely on the “restricted data processing” feature, which Google says entitles them as a “service provider” under CCPA? If it did, are there reasons to believe that the “restricted data processing” fails to meet the CCPA’s requirements for a “service provider” contract? Finally, should businesses rely on assurances from tracking tool providers in making compliance decisions regarding cookies and other tracking technologies? These questions remain open and require heightened attention from businesses under CCPA.
The CCPA’s definition of “sale” goes beyond the traditional understanding. The Act considers selling as “making available…. a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.” However, since the CCPA’s enactment in 2018, many businesses have taken selling requirements ambiguously. Some companies wrongly believe that using common analytics, advertising cookies, and other trackers do not constitute a sale of personal information. Hence, it does not fall under the CCPA requirements.
The CCPA requires businesses to disclose whether it “sells” personal information of California residents and to describe the categories of personal data sold over the preceding 12 months. Companies that sell personal information must allow consumers to opt out of those sales via the “Do Not Sell My Personal Information” button or link. More on that read in one of our previous articles titled Core Aspects of California Consumer Privacy Act.
The Sephora case made it clear that using tracking tools means “selling” personal information of your website visitors to the providers of those cookies unless those providers are acting solely as “service providers.”
Under CCPA, any business that violates CCPA provisions may be subjected to paying statutory damages between $100 to $750 per California resident, per incident, or per actual damage (whichever is greater). It is also provided to pay a monetary penalty of up to $2,500 per unintentional violation (or up to $7,500 per “intentional” violation) (Cal. Civ. Code § 1798.155).
During the investigation process, the Attorney General alleged that Sephora violated the CCPA every time a California resident visited its website on or after the date a notice of violation was delivered (July 25, 2021). As part of the settlement, the court not only entered a $1.2 million penalty against Sephora. It also ordered the company to comply with the CCPA’s requirements concerning sales of personal information. Thus, the consequences of the CCPA violation extend beyond the $1.2 million fine.
First, the court ordered Sephora to carry out and maintain a program to assess how effectively it processes consumers’ opt-out requests. Also, Sephora must report on the effectiveness of that program, its errors or technical problems, and measures taken to fix those errors.
Second, Sephora was ordered to conduct a regular review of websites and mobile apps to determine the entities to which it discloses personal information. The results of this review must be documented and shared with the public.
Sephora must fulfill these “additional” obligations within 180 days and for two years thereafter.
It is hard to disagree that the additional requirements would become much more burdensome than the fine, especially given the fact that carrying out the program will be with the Attorney General and the public looking over their shoulders.
Practically, the annual review of websites and mobile applications is just one of the things every business under CCPA should be doing. The Sephora case shows a perspective for businesses that haven’t done this yet.
The most important message from the Attorney General is pretty clear: if you use third-party analytics or cookies on your site, you are selling the personal information of your site visitors to the provider of those tools. It doesn’t matter if the analytics data you get back is “anonymized” or “aggregated.” You’ve already “sold” the visitor’s IP address, browsing data, or other personal information associated with the cookie.
The second takeaway from the case is: to use your chance to cure the violation while it is possible. Currently, the CCPA requires the Attorney General to give a violator 30 days to cure an alleged violation. Sephora failed to take advantage of that opportunity. Many other businesses may not have such a benefit at all. After January 2023, when CPRA becomes enforceable, no one is offered to cure a violation.
Specialists claim that the CCPA is just the tip of the iceberg when it comes to regional data protection regulations. The patchwork of privacy laws such as the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Utah Consumer Privacy Act, and Connecticut Data Privacy Act, along with CCPA/CPRA, would only intensify pressure on businesses.
With these regulations, businesses are under tremendous pressure to reevaluate how they process personal data. The enforcement of the CCPA against Sephora highlights that these rules work, and non-compliance may be too expensive. The situation may be only smoothed with the implementation of a federal data protection standard. The American Data Privacy and Protection Act (ADPPA), which is slowly traversing through the all-American legislative system, may achieve it if passed.
Data privacy legislation is evolving. Follow up on the recent legal updates, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!