top of page

Sephora Settles CCPA Enforcement Action brought by California’s Attorney General for $1.2M

*The views expressed in this article do not represent the views of Santa Clara University.

Credit: Wikimedia Commons

On August 24, 2022, California Attorney General (AG) Rob Bonta announced the first enforcement settlement under the California Consumer Privacy Act (CCPA). The settlement was reached with Sephora, Inc. (Sephora), a French multinational retailer of personal care and beauty products. In the complaint against Sephora, Bonta alleged that Sephora (1) failed to disclose to consumers that it was selling their personal information; (2) failed to process user requests to opt out of the sale of their personal data via user-enabled global privacy controls (GPC); and (3) failed to cure these violations within the 30-day period currently allowed under the CCPA.

The settlement requires Sephora to pay $1.2 million in penalties and comply with injunctive terms. Under the settlement, Sephora will be required to (1) clarify its online disclosures and privacy policy to include an affirmative representation that it sells personal data; (2) provide methods for consumers to opt out of the sale of their personal information, including via GPC; (3) conform its service provider agreements are in-line with CCPA requirements; and (4) provide ongoing reports to the AG concerning its sale of personal information, the status of the company’s service-provider relationships, and efforts to honor GPC.

Legal Analysis of the Decision

There are several issues pertaining to the CCPA that are raised by this case. These include (1) the definition of the term “sale;” (2) the ability of California consumers to opt-out of the sale of personal information; and (3) the availability of GPC to consumers as an effective and appropriate opt-out method.

Under the CCPA, the terms “sell,” “selling,” “sale,” or “sold” includes the selling of a consumer’s personal information by the business to a third party for monetary OR other valuable consideration. The Sephora case turns on whether the company “sold” personal information and failed to provide a “do not sell” link or honor consumers’ “do not sell” requests. As Omer Tene and Gabe Maldoff from Goodwin explain,

[t]he attorney general took the position that sharing data with a vendor in exchange for analytics or ad serving is a “sale” [under the CCPA] because Sephora ‘gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits.’”

“[a] consumer shall have the right to request that a business that sells the consumer’s personal information . . . disclose to that consumer . . . categories of personal information that the business sold about the consumer.”

Such right is impossible for a consumer to act upon if there is no disclosure from the company noting its sale of personal information. As AG Bonta passionately stated, “these rights are meaningless if business hide how they are using their customer’s data and ignore requests to opt-out of its sale.”

Such opt-out rights may be carried out via a GPC under the CCPA. While this opt-out method was not included under the original CCPA, it does appear in updated regulations, and is present in the Final Text of Proposed CCPA Regulations which states, “a business shall provide . . . designated methods for submitting requests to opt-out . . . acceptable methods for submitting these requests include . . . user-enabled global privacy controls.”

Implications for Businesses

This settlement should act as a warning to all consumer data-collecting companies that enforcement of the CCPA is here, as the AG specifically emphasized when he said, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

To ensure compliance, businesses should refer to the new set of CCPA Enforcement Case Examples published by the AG in order to clarify the most current landscape of CCPA enforcement. Specifically, companies should be cautious about their sales, as defined under the CCPA, of consumer data. Based on the tracking of alleged notices of violation letters by Mayer Brown Partner, Arsen Kourinian,

“more than 1/3 of alleged violations pertain to sale issues.”

Practically speaking, companies operating in CA should (1) indicate whether they are selling, as defined in the CCPA, personal information in their public-facing privacy policy; (2) ensure processing of GPC signals; and (3) prioritize the immediate cure of an issue if notified by the AG. The CCPA provides consumers with the right to request that a business not sell the consumer’s personal information to third parties.

The CCPA’s notice-and-cure provision will expire on January 1, 2023.

Useful Sources

Read Attorney General Bonta settlement announcement here. A copy of the original complaint is available here. A copy of the settlement is available here. Read the AG’s summary of the CCPA here.


bottom of page