California’s Attorney General Rob Bonta has made clear that California Consumer Privacy Act (CCPA) enforcement is going to be a priority for the AG’s office. On Friday, the California AG’s office announced a $1.2 million settlement of an enforcement action against Sephora, Inc. for allegedly insufficient disclosures as required by the CCPA. The biggest takeaways from this enforcement action are that (1) California will focus on clear and accurate disclosures made to consumers; (2) California is taking a liberal approach to the definition of what constitutes the “sale” of consumer data; and (3) this is a further reminder that user-enabled global privacy controls — where users can set a default “do not sell” signal through their browser — have the same effect as an affirmative request to opt out of data sharing. Bonta further indicated that a number of non-compliance notices are on their way to various other businesses purportedly violating the CCPA, and companies should take prompt action to respond and correct any deficiencies, lest they become the next Sephora.
Enforcement Action Background
The allegations against Sephora included a combination of disclosure and opt-out request failures, including:
- Failing to include a “Do Not Sell My Personal Information” link on its webpage and mobile app, and two or more methods for users to opt out of the sale of their data;
- Failing to process global privacy control requests by users to opt out of the sale of their personal information;
- Failing to execute valid service-provider contracts with each third party, which is one exception to a “sale” under the CCPA; and
- Failing to cure these alleged deficiencies within 30 days of notice.
Sephora was allegedly permitting third-party companies to install tracking software on Sephora’s website and app to track users’ activity to better market to those individuals. The complaint alleged that “Sephora gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits,” which the State of California considered to be a “sale” of personal information for purposes of the CCPA. Thus, according to the State of California, “[b]oth the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA.” Because these transactions were viewed as “sales” of users’ personal information, the CCPA disclosure and opt-out requirements were triggered.
The CCPA is not going away anytime soon, and companies should take note that the California Attorney General’s Office is keeping a close eye on CCPA compliance. If your business is one of the (un)lucky winners of the non-compliance notices referenced in Bonta’s announcement, the 30-day cure period should be treated as a hard deadline to remedy any alleged compliance issues. Moreover, in light of the impending California Privacy Rights Act (CPRA) amendments set to take effect on January 1, 2023, with a look-back period to January 1, 2022, companies should take these steps for proactive CPRA compliance:
- Assess if your business meets new thresholds;
- Determine if your business collects sensitive personal information;
- Amend service provider agreements and update templates;
- Update your data retention policy;
- Analyze how new privacy rights affect your business;
- Determine if your business is a “high risk data processor”;
- Ensure you are adequately disclosing data sales and opt-out rights on your website;
- Ensure you have adequate processes to comply with both user opt-out requests and global privacy control requests; and
- If you receive a non-compliance notice from the California Attorney General’s Office, retain counsel immediately — or at the very least, don’t ignore it.
As companies look towards their CPRA compliance plans between now and the first of next year, these enforcement actions (and the issued address in them) provide clear insight into expectations and regulatory interpretation. The best offense isn’t always a good defense. But in this case, that platitude proves true.