5 Key Lessons from the First CCPA Enforcement Settlement

On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora in response to allegations that it violated key provisions of the CCPA and failed to address them within the 30 days allowed by the law. While the amount of the settlement pale in comparison to some of the fines levied under GDPR, it represents a significant step forward for consumer privacy in the US, as it signals California intends to enforce its regulations vigorously.

Download the Data Privacy Alert here!

Exterro recently hosted a webinar in which three privacy experts discussed the settlement, the CCPA violations that led to it, and the implications it has for other organizations. Amalia Barthel, Senior Privacy Advisor for Exterro, Melissa G. Powers, Associate at LewisRice, and Maria Koslunova, Data Privacy Lead at Chainalysis, discussed the ruling and a number of key lessons related to it.

Privacy Lesson #1: Cookies really are going away.

Cookies have been under pressure on multiple fronts. On the technology front, Google has repeatedly said it is phasing out third-party cookies, with the latest deadline being in 2024. Mozilla and Apple’s browser Safari have already done so. Privacy regulators are cracking down on them. For example, the Belgian DPA has ruled that the IAB’s Transparency and Consent Framework used by hundreds of cookie vendors is illegal.

Most importantly, privacy issues are becoming more and more important to consumers—and cookies don’t do a good job satisfying their concerns. As Koslunova explains, cookies don’t create a unified consent management picture of consumers, they “don’t capture consent across different devices or on different stages of the consumer journeys. It's challenging for customers to reflect their preferences.” Powers adds that “we're starting to see increased consumer demand for transparency, for choice, and for control. This is happening all over the world, particularly in Europe, and now it’s flowing down from there to the US.”

Privacy Lesson #2: Comply with the Global Privacy Control.

The Global Privacy Control (GPC) is a way for consumers to tell enterprises they do not want their data sold without having to repeatedly express their preference at each different website they visit. When a consumer sets their web browser to transmit the GPC, every website they visit receives this signal and is required to honor the consumer’s request to protect their privacy.

As Barthel pointed out, “Sephora ignored the global privacy controls. They weren't very transparent about what happens with customers’ data.” The fact that Sephora failed to comply with GPC was at the heart of the California AG’s decision enforce the CCPA. AG Rob Bonta stated in his press release, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale. I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”

Privacy Lesson #3: Act before you are held accountable for privacy violations.

The fine agreed upon by Sephora and the California AG was relatively small, at $1.2 million, for a company of Sephora’s size. Powers explains that this was intentional—sending a message to others. “The Attorney General’s focus is on compliance with the law, giving consumers choices and control. But the intent is not to run up revenue in California’s privacy fund. It’s to encourage compliance.” But now that the message has been sent, and the 30-day window to remedy violations of CCPA is going away, the results for future violations could likely be more severe.

Barthel said, “There are two points here that any organization should pay close attention to. You don't want a regulator to come and tell you to establish a compliance program and to monitor you. And you also don't want them to come back and audit you to see how you've revised your websites and your mobile applications to embed these privacy controls and choices for consumers. What have we put in place in terms of good privacy practices, because latest enforcement actions are looking beyond the intention. They're looking at, do you have practices in place?”

Privacy Lesson #4: Marketers need to understand privacy law better.

In the past, marketers haven’t needed to understand privacy law to do their jobs. They could just make their choices about how to track consumer data based on what they needed and what was most cost-effective—a choice that more often than not led them to use cookies. As these lessons demonstrate, regulators are increasingly focusing on how organizations obtain specific, informed consent from consumers.

Melissa Powers pointed out that “marketing is one area of an organization in which there's a lot of turnover, so it's very important for organizations to institutionalize privacy training.” Organizations can’t rely on marketers to know the regulations on their own—they should train them, so they can ensure their marketing complies with regulatory requirements.

Privacy Lesson #5: Consider implementing an enterprise consent solution.

Although not a topic of the webinar, it’s important to explain that there are holistic consent solutions that organizations can embrace. Gartner published a market guide that defined 11 characteristics and capabilities than a good enterprise consent solution should have to ensure that organizations meet the requirements of modern privacy regulations. With an enterprise consent solution, organizations can offer consumers the true consent that meets the requirements of GDPR and CCPA—namely, that it be freely given, granular, informed, and unambiguous.

What Does Enterprise Consent Look Like? Find out in our new infographic.