California AG’s First CCPA Enforcement Action – Lessons Learned | GPM Lathrop
The California Privacy Rights Act (CPRA) and other new state data privacy laws are expected to go into effect in 2023. If you needed prompting to review your compliance obligations, the California Attorney General in recently provided an enforcement action in its $1.2 million settlement. under the California Consumer Privacy Act (CCPA), over which the CPRA extends. Anyone with an e-commerce website should take this into account.
Summary of the enforcement action. According to California AG, Sephora, a French cosmetics brand, failed to disclose to consumers that it “sold” (a term broadly defined under the CCPA) their personal information; failed to honor user requests to opt out of sales through a user-enabled global privacy control; and has not remedied such violations within the 30-day period allowed by the CCPA. In addition to the settlement amount, Sephora promised to report to the GM on changes to its privacy regime for a period of two years.
Sephora shared its customers’ personal information with third-party advertising networks and analytics providers, as do most e-commerce businesses. These vendors, in turn, let Sephora know what kind of device customers were using, what was in their carts, and their precise locations.
California AG entered into a “sale” under the CCPA because Sephora gave these vendors access to its consumer data so that it could receive free or discounted analytics and other advertising benefits, including “the valuable option to deliver targeted ads to the same buyer on the provider’s ad network analytics.
The GA further determined that these “sales” triggered Sephora’s obligations to notify consumers of the “sale” of their information and their ability to opt out of sales via a “Do Not Sell My Personal Information” button. on the company’s website.
Release from California AG Office: https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement
Points to remember from enforcement action. We now have a better idea of what California AG considers a “sale” of personal information under the CCPA, and what triggers a company’s “do not sell” compliance obligations under the law. Here are our top takeaways from the Sephora settlement:
- Update your service provider contracts. The California AG noted that Sephora’s alleged “sale” of personal information could have been remedied by having “valid service provider contracts in place with each third party.” If you use vendors for analytics or ad targeting, make sure you have appropriate agreements limiting the use of consumer data and prohibiting uses that benefit the vendor or its other customers. Also, if you separately purchase the analytics services in exchange for money, regardless of data sharing, this might arguably not be a “sale”, although California AG may not agree with this approach. .
- Familiarize yourself with Global Privacy Control. The GPC acts as a global one-stop-shop mechanism to opt out of data sales. The California AG endorsed it, saying that “[t]technologies such as Global Privacy Control are a game-changer for consumers seeking to exercise their data privacy rights. The AG specifically noted the fact that Sephora did not recognize GPC as an opt-out request. If your website and cookies treat GPC requests as no-sell signals, you will be in line with the expectations of the GA. This is not a panacea, however, as it is unclear whether browsers can accept the default GPC opt-out or whether affirmative action by a consumer is required to activate the signal.
- Don’t ignore the California Attorney General. CCPA has a cure period of 30 days. Sephora’s failure to respond to California AG’s notice of non-compliance triggered the enforcement action. If you receive a notice of non-compliance, take timely action to resolve the alleged issue.
- Operationalize compliance. This is the perfect time to ensure that you are fully compliant with the CCPA and CPRA. Reassess your privacy policies and notices to verify their accuracy. Confirm that you have appropriate data rights request processes in place. Examine your websites and mobile apps, especially those that contain third-party trackers or other adtech solutions, to ensure that they are properly configured to monitor and honor user-activated opt-out preference signals, such as the GPC.
We will continue to monitor all global, federal and state data privacy laws and enforcement actions and will keep you informed of any suggested compliance activities.