By Tim Rollins
While the $1.2 million at question is far from a large fine in the realm of privacy regulation, it does mark the first significant enforcement action under the California Consumer Privacy Act (CCPA). While technically a settlement rather than a fine, it’s a warning shot to California companies that they will be held accountable for violations of the law.
On On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora in response to allegations that it violated key provisions of the CCPA and failed to address them within the 30 days allowed by the law. The violations alleged included:
- Failure to disclose that it sold personal information by allowing third-party advertising partners to track users of Sephora’s website and apps via cookies and other trackers
- Failure to take required measures regarding sale of personal information, including providing an easy to find and use “do not sell” link to consumers
- Failure to treat signals for Global Privacy Control (GPC) as functionally identical to consumer requests to opt out of data sales
The AG placed considerable emphasis on the GPC as a key technological means for consumers to exert their privacy rights is significant. California is clearly embracing the position that privacy rules allow consumers to easily opt out of sales of their personal information by configuring certain browsers or plug-ins to automatically transmit requests to websites.
Additionally, the AG signaled their attention to broadly interpret what constitutes the “sale” of personal data, so organizations should be leery of many previously accepted practices of surveillance capitalism.
Who It Applies To
Companies doing business in California should take note, as thus far there has been relatively little effort to comply with the GPC. The gambit of providing nominal, difficult to use opportunities for consumers to opt out of data processing and sales is clearly not going to be viable under the CCPA, especially in light of the appointment of one of its creators to the California Privacy Protection Agency.
While the fine of $1.2 million is not terribly large, it does signal California’s intent to enforce the requirements of the CCPA and compliance with the GPC. The AG’s announcement specifically reminded organizations that “businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring” at the end of 2022. For organizations taking a “wait and see” approach to CCPA and GPC compliance, this is a serious warning.
Expert Analysis from Amalia Barthel, CIPM, CIPT
The California AG is taking a page from the CNIL book regarding cookies and tracking and signaling that it expects organizations to abide by GDPR-level regulations around the sale of PII. It is difficult to understand how Sephora was able to comply with GDPR while tracking visitors to its websites in the US and failing to process user requests to opt-out via Global Privacy Control (GPC).
Organizations with operations in both the US and the EU need to harmonize their privacy program and implement similar controls in both regions. Maintaining technologies to support different operations in different jurisdictions is very costly—and very risky. Implementing a single set of policies using the same approach to risk tolerance and the same technology, with privacy by design embedded, is not as costly by comparison. Many multinationals are very successful with their implementation of privacy compliance programs that align well with the applicable legislation in multiple jurisdictions.
Retailers and online e-commerce businesses must take note that CPRA requires transparency of practices and that consumer preferences be recorded and respected. This is done through online disclosures explaining whether there is an intention to sell PII; the provision of mechanisms to opt-out (including through the GPC); and ensuring third parties also conform with these controls.
Data Privacy Tip
Make sure you’re prepared to comply with the requirements of CCPA and CPRA with this checklist from Exterro.