California AG Announces $1.2 Million CCPA Settlement with Sephora

Download alert now!

California AG Announces $1.2 Million CCPA Settlement with Sephora

Why This Privacy Law is Important:

While the $1.2 million in question is far from a large fine in the realm of privacy regulation, it does mark the first significant enforcement action under the California Consumer Privacy Act (CCPA). While technically a settlement rather than a fine, it’s a warning shot to California companies that they will be held accountable for violations of the law.


On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora in response to allegations that it violated key provisions of the CCPA and failed to address them within the 30 days allowed by the law. The violations alleged included:

  • Failure to disclose that it sold personal information by allowing third-party advertising partners to track users of Sephora’s website and apps via cookies and other trackers
  • Failure to take required measures regarding sale of personal information, including providing an easy to find and use “do not sell” link to consumers
  • Failure to treat signals for Global Privacy Control (GPC) as functionally identical to consumer requests to opt out of data sales

The AG placed considerable emphasis on the GPC as a key technological means for consumers to exert their privacy rights is significant. California is clearly embracing the position that privacy rules allow consumers to easily opt out of sales of their personal information by configuring certain browsers or plug-ins to automatically transmit requests to websites.Additionally, the AG signaled their attention to broadly interpret what constitutes the “sale” of personal data, so organizations should be leery of many previously accepted practices of surveillance capitalism.

Who it Applies to:

Companies doing business in California should take note, as thus far there has been relatively little effort to comply with the GPC. The gambit of providing nominal, difficult to use opportunities for consumers to opt out of data processing and sales is clearly not going to be viable under the CCPA, especially in light of the appointment of one of its creators to the California Privacy Protection Agency.

Download the Privacy Alert to the right to get the full text and expert analysis

Download the Resource