The Californian Attorney General has reached a settlement with Sephora (pending court approval) for $1.2 million in penalties and injunctive terms for violations of the California Consumer Privacy Act after Sephora failed to correct the violations with-in the cure period.
The terms of the settlement shed new light on how the CCPA will be enforced now and into the future. Some notable aspects of the settlement follow.
Who is affected
The settlement applies to:
(a) DEFENDANT, (b) its directors, officers, employees, agents, independent contractors, partners, and associates; (c) its subsidiaries; and (d) its successors and the assigns of all or substantially all of the assets of their businesses.
https://oag.ca.gov/system/files/attachments/press-docs/Proposed%20Final%20Judgment.pdf
So it’s fairly all encompassing. Brands should assume that similar enforcement should affect them likewise.
Terms of Settlement
The settlement has additional terms which will compel various corrective activity on the part of Sephora.
1: Sephora must enhance disclosures to include statements that it sells personal data and ensure such disclosures reflect that the consumer has the right to opt-out of sales.
2: Once the CPRA terms enter enforcement on January 1st, 2023 – Sephora must ensure they comply with those terms.
3: With-in 180 days of approval and for the next two years from that date they must develop and implement a compliance program that will assess and monitor whether the company effectively processes the requests of consumers to opt out of the sale of their personal information, including via such controls like the Global Privacy Control and provide a annual report.
The report must contain both a detailed overview of the testing the company has done to assess and monitor the opt out of sale and an a analysis of any errors or technical problems encounter in the processing of consumer requests to out of sale of their personal information. They must also include any steps taken to fix said problems.
4: With-in 180 days of approval and for the next two years from that date they must conduct an annual review of the website and mobile applications to determine which companies Sephora sends personal information to.
Sephora must document this in a report. The report must contain a list of all companies that personal data is sent to, and why and if Sephora classifies these entities as service providers. For any such service provider Sephora must enter a contract with them that meet the requirements of the CCPA and document that in the report.
When service providers who offer restricted processing of personal information are available, Sephora must take this option for all consumers including those who opt-out under a Global Privacy Control and reflect this in the report.
For any entity that is not a service provider, Sephora has a few options. They can continue business subject to compliance of Civil Code sections 1798.20 and 1798.135, they can enter into contract to render it a valid service provider or they can stop sending data to that entity. This must be documented in the report.
The above reports must be sent to the Attorney General and are excluded from the Freedom of Information Act.
Commentary
It should be noted that the enforcement above came after Sephora failed to fix the violations inside of the cure period, so may have been avoidable. However it also needs to be known that the CPRA amendments taking place after January 1st, remove this cure period, and brands should not rely on a grace period to correct behavior going forward.
While the fine isn’t a hit to a company the size of Sephora the compliance orders are notable in that they will consume a large amount of time for the next few years. Other brands subject to the CCPA should determine how ready they may be to deal with similar orders when determining compliance adequacy.
It should also be noted that the California AG specifically called out compliance with the Global Privacy Control. While this control isn’t standard cross browser at this time, it apparently will be considered when evaluating compliance with the CCPA. Brands should take this opportunity to ensure their consent management methods are up to par.
I expect both enforcement and fines to increase once the California Privacy Protection Agency takes the reigns in January of 2023, brands are running out of time to ensure compliance ahead of that deadline, but this settlement, even if not ultimately approved shows just far the State of California is willing to go ensure compliance with the CCPA. Brands should adjust behavior accordingly.