While the State of California and Sephora reached a principal settlement which still needs approval, I feel it’s important to take a look at the Attorney’s General claims, and determine if a website you may own could be subject to similar enforcement.
Note: Not a Lawyer. Speak to Legal Counsel if anything below concerns you.
Complaint and Investigation
If we review the compliant and investigation a few things which are often debated are made clear.
First is that installing 3rd party marketing or analytics pixels is considered by the California Attorney General (AG) to be a ‘sale’ under the terms of the California Consumer Protection Act (CCPA). This is notable, because many brands consider this clause as ‘sale for money’. The AG however states that making personal information available to third parties and receiving benefit from the arrangement is a sale. In this context, sending analytics or marketing data to a vendor, would be considered a sale of data. Sephora did not declare sales of data, and told consumers that “they do not sell consumer information” which is incorrect given the AG’s stance on what a ‘sale’ of data is.
This brings us to the second point – If you sell data, you are required to deal with specific obligations under the law, such as telling consumers that you sell their personal information, and allowing them mechanics to opt out of those sales, such as clicking a “Do Not Sell My Personal Information” link. In the claims, Sephora did not do this, and had no link on their website or mobile application to process an opt-out of sale.
Third is that Sephora did not honor a global privacy control signal, and the presence of such a signal did not change the behavior of the website, in effect, denying the ability to opt out of sale by such a signal.
It should be noted that the Global Privacy Control is new and not widely adopted yet. This means it’s very likely that any existing consent management platform integration a website may have is non-compliant.
The AG gave notice to Sephora and 30 days to correct the above violations. Sephora did not act upon the violations, which led to a deeper investigation which then charged Sephora with the following:
VIOLATIONS OF THE CCPA, SECTION 1798.155, SUBDIVISION (B) (Failure to Notice Sale of Consumer Personal Information, Provide “Do Not Sell My Personal Information” Link, Provide Two Or More Methods to Opt-Out of Sale, and Process Requests to Opt-Out Via User-Enabled Global Privacy Controls)
The AG notes that each time Sephora failed to stop the sale of data to a third party, Sephora violated the law. Keep in mind that if a ‘sale of data’ is effectively a network call hit to a vendor, this would have been a very large amount of violations.
The AG also charged Sephora with the following:
VIOLATIONS OF THE UNFAIR COMPETITION LAW, BUSINESS AND PROFESSIONS CODE, SECTION 17206 (Failure to Process Requests to Opt-Out Via User-Enabled Global Privacy Controls)
Possible Fines
The AG asked the Court to issue orders ensuring compliance and fines of $2,500 for each violation of the CCPA and $7,500 for each intentional violation, as proven at trial. Additionally, the AG asked the Court to issue fines of $2,500 for each violation of the Unfair Competition law as proven at trial. The AG also sought recovery of it’s legal fees and any other relief the Court may want to issue.
Keep in mind, it is the view of the AG that these violations occurred per pixel hit, not per user or session. The costs of fines would have added up very quickly. Hence Sephora’s willingness to settle despite being subject to a compliance order.
What did we learn?
This case has a few things worth learning from.
- The AG clarified what they consider a ‘sale’ of personal information to be.
- The AG makes it clear that your consent management and privacy policy must accurately reflect when a sale of data occurs.
- The AG requires websites to honor opt-out requests as disclosed.
- The AG expects websites to treat the Global Privacy Control as a opt-out request.
- The potential fines for a website with a lot of traffic would add up exceptionally quickly given most typical tag management configurations.
- That it’s bad to ignore Cure Notices.
What must brands do?
Brands need to ensure proper disclosure of sales of data in the consent management notices and privacy policy and ensure that when selling data the proper “Do Not Sell My Personal Information” links are present as required.
Brands need to ensure proper Service Provider contracts are in place for any entity to which they sell data. Sephora was warned about this and upon approval by the Court will be required to undertake this for all entities with which they sell data to.
Further Brands need to review their consent management and tag management configurations to ensure that proper handling of the Global Privacy Control.
Lastly, it should be understood that while Sephora did get a Cure Notice, this practice is ending with the adoption of the CPRA amendments on January 1st, 2023. Brands should not expect to be given a cure notice going forward and so it is in their best interest to ensure compliance ahead of the new year.