Privacy.Minded: CCPA Enforcement Action Against Sephora Offers A Warning To Companies That Still Lag In Compliance | Straddling Yocca Carlson and Rauth

On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc., resolving allegations that Sephora violated the California Consumer Privacy Act (“CCPA”). At the same time, the Attorney General released the complaint filed in California Superior Court detailing the allegations, as well as the last judgement stipulated by the parties and registered by the court (according to the judgment, Sephora accepts the imposed penalties without admitting any liability).

The settlement is noteworthy for several reasons. This is the first time the Attorney General has exercised his authority under the CCPA to seek a court order imposing civil monetary penalties and other remedies for alleged violations. The timing is important because the California Privacy Rights Act (“CPRA”), which consists of several significant amendments to the CCPA, is set to take effect on January 1, 2023. The regulation also offers important points and a warning , for companies that are still developing or updating their CPRA compliance programs.

There’s a lot more to Sephora’s settlement than the $1.2 million fine.

The CCPA empowers a court to impose a monetary penalty of up to $2,500 per violation (or up to $7,500 per “intentional” violation). The Attorney General alleged that Sephora violated the CCPA whenever a California resident visited its website on or after July 25, 2021 (the date the Attorney General served Sephora with a notice of violation), because Sephora did not did not disclose that it was “selling” visitors’ personal information and did not offer visitors the opportunity to opt out of this “sale” (more details below). As part of the settlement, the court fined Sephora a total of $1.2 million and ordered it to comply with CCPA requirements regarding “sales” of personal information.

While $1.2 million is a substantial penalty for most businesses, from Sephora’s perspective, it’s probably not the heaviest aspect of the settlement. The court also ordered Sephora to do the following within 180 days and for a period of two years thereafter:

  • Implement and maintain a program to evaluate and monitor whether it is effectively dealing with consumer requests to opt out of the sale of their personal information, and to provide a detailed public report annually regarding the effectiveness of this program, errors or technical problems encountered in implementing the program and the actions Sephora has taken to correct such errors or problems; and
  • Perform a regular annual review of its website and mobile applications to determine the entities to which it makes personal information available, and document and share the results of this review with the public, including the names of these entities, the purposes making personal information available to them, and whether Sephora qualifies such entities as “service providers” within the meaning of the CCPA

As a result, not only must Sephora implement a comprehensive and detailed compliance program, but it must do so with the Attorney General and the public, watching its shoulder for at least the next two years. In practice, the annual review of websites and mobile applications, as well as the inventory and classification of entities that access personal information through them, is only one of the things all that regulated companies should be doing now, if they haven’t already. The Attorney General sends the message that companies that have not already done so may be forced to do so later, at a much higher cost.

According to the Attorney General, if you use common analytics or advertising cookies on your website, you are “selling” the personal information of your website visitors to the providers of those cookies, unless you have ensured that those providers act solely as your “service providers.”

The CCPA requires every company to disclose, in its privacy policy, whether it “sells” the personal information of California residents and describes the categories of personal information sold in the preceding 12 months. Companies that “sell” personal information must allow consumers to opt out of such sales through a prominent “Do Not Sell My Personal Information” button or link, and through other means the CCPA deems necessary.[1]

The CCPA defines “selling” broadly. He understands: “[M]available . . . a consumer’s personal information by the business to another business or third party for monetary or other consideration. Since the enactment of the CCPA in 2018, some companies have taken the position that the use of common analytics or advertising cookies and other trackers, such as Facebook Pixel and Google Analytics, does not constitute a sale of the IP address, browsing activity or other personal data of visitors. information to Facebook, Google or other providers of these tracers. After the Sephora settlement, it is now clearer than ever that the Attorney General strongly disagrees with this position and is prepared to apply a maximalist view of the CCPA’s “sale” requirements.

The attorney general alleged that Sephora, in addition to collecting personal information for itself through its website, “also makes consumers’ personal information available to third-party companies for the purpose of obtaining advertising and analytics. . . . Sephora has made this data available to these companies by installing (or allowing the installation of) third-party trackers in the form of cookies, pixels, software development kits and other technologies, which automatically send consumer online behavior data to third party companies. For the Attorney General, “Sephora’s decision to provide to third parties, including ‘ad networks, business partners, [and] data analytics providers having access to its customers’ data in exchange for services from these entities was a sale of personal information as defined in the CCPA.

The complaint details an example of an alleged “sale” that is highly relevant to all businesses using the ubiquitous Google Analytics tools and related services:

“Sephora has installed a widely used analytics and advertising software package that allows the analytics provider to collect and maintain personal information about a shopper’s online activities. The analytics provider then provided Sephora with data about what shoppers did on its website or app, such as how many people looked at a particular product. The analytics provider would also determine who the shopper was, using detailed data gathered from other sources, and then present Sephora with the attractive option of delivering targeted ads to the same shopper on the analytics provider’s advertising network. . Trading personal information for analytics and trading personal information for advertising purposes constituted sales under the CCPA. »

Further, “Sephora knew that these third parties would collect personal information when Sephora installed or permitted installation of the affected code on its website or application. Sephora also knew it would receive discounted or better-priced analytics and other services derived from data about consumers’ online activities, including the ability to target ads to customers who had simply searched for products online. line. And, “Sephora did not have valid service provider contracts in place with each third party, which is an exception to “sale” under the CCPA. All of these transactions were sales under the law.

The Attorney General’s message is clear: If you use third-party analytics cookies on your site, you are selling the personal information of your site visitors to the provider of those cookies. It doesn’t matter if the analytics data you collect is “anonymized” or “aggregated”. You have already “sold” visitors’ IP address, browsing data, or other personal information associated with the cookie by allowing the cookie to be placed on your site.

Despite this broadly applicable message, the settlement leaves open some important questions: Assuming the Attorney General was referring to Google Analytics or other Google services, did Sephora enable Google’s “restricted data processing” feature, which Google says qualifies them as a “service provider” under the CCPA? If so, does the Attorney General believe that Google’s “restricted data processing” terms do not meet the CCPA requirements for a “service provider” contract? Should regulated companies stop relying on assurances from Google, Facebook, et al. in making their compliance decisions regarding cookies and other tracking technologies?

If you receive a notice of violation in 2023, it may not provide you with an opportunity to remedy and avoid further enforcement action.

The CPRA becomes enforceable on July 1, 2023 and only for offenses occurring on or after July 1, 2023.[2] Until then, the current CCPA, which was enforced in the Sephora Rules, remains enforceable.

Currently, the CCPA requires the Attorney General to give an alleged violator 30 days to remedy an alleged violation. According to the attorney general, Sephora did not take advantage of this opportunity, which necessitated public action.

The Attorney General’s press release regarding the Sephora settlement emphasizes that the right to heal is only temporary: “The CCPA’s notice and heal provision, which requires companies to be given notice and an opportunity to heal before to be held liable by the Attorney General for violations of the CCPA, will expire on January 1, 2023,” when the CPRA comes into effect. When the California Privacy Protection Agency assumes primary enforcement functions on July 1, 2023, it will have the power to issue administrative fines, which means it will be able to impose fines on violators without a Superior Court order.

The expiration of the right to remedy breaches, combined with the Agency’s new enforcement powers, means fines for some first-time offenders are a real possibility from next year. With the Sephora settlement, the Attorney General is warning covered businesses, particularly those that are consumer-facing e-commerce businesses, that the CCPA’s era of second chances may be coming to an end.

[1] Another notable aspect of the settlement is the Attorney General’s allegation that the CCPA requires companies to treat a “global privacy control” signal from a user’s browser as a request to opt out of the sale of information. personal. We will devote a separate article to this problem.

[2] Except for Sephora which, according to paragraph 13 of the judgment, must comply with the “sales” aspects of the CPRA from January 1, 2023.

Lance B. Holton