On August 24, 2022, California Attorney General Rob Bonta (“CA AG”) announced a $1.2 million dollar settlement with Sephora, Inc. (“Sephora”), marking the first announced enforcement action under the California Consumer Privacy Act (CCPA). The CA AG alleged that Sephora violated the CCPA because it failed to inform consumers that it sold their personal information and did not properly honor consumer opt-out of sale requests submitted through global privacy controls (GPCs) (among other alleged violations). The CA AG specifically focused on information that Sephora shared with third-party advertising networks, noting that these third parties could create profiles about Sephora customers. According to the CA AG, the Sephora settlement underscored the critical rights that California residents have to fight “commercial surveillance.” At the same time as the Sephora settlement, the CA AG also published a number of new examples of notices to cure sent to companies, including those related to loyalty programs, unclear privacy policies, and data brokers.
This announcement from the CA AG is set against the backdrop of the California Privacy Rights Act (CPRA) going into effect on January 1, 2023, which will both amend and expand upon the current CCPA. In addition to the CA AG enforcing the CPRA, a recently formed California Privacy Protection Agency (CPPA) will also have enforcement authority under the new law (and has already issued initial draft regulations). The CPRA will expand upon some of the obligations highlighted by the CA AG in the Sephora settlement, including those related to cross-contextual advertising and service provider contract obligations.
The CA AG’s announcement also comes while Congress is in the midst of debating a federal privacy law that would largely preempt both the CCPA and CPRA. Both the California AG and the CPPA have publicized their objection to the American Data Privacy and Protection Act (which recently advanced through the House Energy & Commerce Committee) because they would like a federal law to be a floor, and not a ceiling, to privacy protections. Some California legislators in Congress have echoed this sentiment, and the bill also lacks support from key Democratic leaders, such as Senator Maria Cantwell. Due to these hurdles, it’s unclear whether the bill will make any further progress in Congress.
For now, businesses should know that the CA AG is actively enforcing the CCPA and should be preparing for the CPRA to go into effect on January 1. They should also note that sharing information with advertising networks will likely be an area of priority for both the CA AG and the CPPA under the CPRA. Notably, the CPRA will not provide businesses with a mandatory “right to cure” any alleged violations (any cure period granted to businesses under the new law will be discretionary). Additionally, the CA AG announced that it launched a website for consumers to submit potential CCPA violations, and consumers will also have the right to submit potential violations of the CPRA to the CPPA. This case further demonstrates the risks associated with any investigation that is triggered by a specific potential violation – as the CA AG began investigating one issue and eventually expanded out to other CCPA concerns. All of this means that it is even more critical for companies to evaluate both their current and future compliance obligations under California law.
Sephora Settlement
The Sephora settlement is the result of an enforcement sweep of online retailers aimed at determining whether they continued to sell personal information even after a consumer opted out via a GPC. Through this enforcement sweep, it was allegedly uncovered that Sephora failed to: (1) disclose to consumers that it was selling their personal information; (2) process opt-out of sale requests via global privacy controls; and (3) cure these alleged violations within the 30-day period currently allowed under the CCPA. According to the complaint, Sephora’s failure to cure led to a broader investigation of Sephora’s privacy practices. This led the CA AG to finding that Sephora also did not have proper service provider terms with its vendors.
The settlement focuses heavily on information shared for targeted advertising purposes. Specifically, the complaint alleges that “if companies make consumer personal information available to third parties and receive a benefit from the arrangement” (e.g. targeted advertising) that this constitutes a “sale” under the CCPA, triggering users’ right to opt-out. Sephora, the complaint alleges, failed to meet its obligations under the CCPA since it failed to: (1) tell consumers it was selling their data (instead explicitly representing it did not sell user data) and (2) provide consumers with an easy to locate “Do Not Sell My Personal Information” link. With respect to the GPC, the complaint alleges that during the course of the enforcement sweep, the Attorney General discovered that activating the GPC on Sephora’s website had no effect and that data continued to flow to third-party companies, including advertising and analytics providers.
The settlement also imposes injunctive obligations on Sephora in addition to the monetary fine. For example, Sephora also must implement and maintain a program to assess and monitor whether it is effectively processing consumer sale opt-outs within 180 days of the settlement (and for a period of two years thereafter). The assessment must be shared in an annual report and must include an overview of testing done as well as an analysis of any errors or technical problems encountered in processing such opt-outs. Furthermore, the settlement requires that Sephora conduct an annual regular review of its websites and mobile applications to determine entities to which it makes personal information available within 180 days of the settlement (and for a period of two years thereafter). The results of the review are to be shared in an annual report that must include specific details (e.g., the names of entities to which personal information is made available, purpose for which information is made available, whether the entities are characterized as service providers etc.). Sephora must also update its disclosures and privacy policy to make it clear that it sells data; provide mechanisms for consumer opt-outs including via the GPC, and conform service provide agreements to the CCPA’s requirements.
- Sharing with advertisers is likely a sale: Disclosing or making available consumers’ personal information to third parties through the use of online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies in exchange for monetary or other valuable consideration likely constitutes a “sale” under the CCPA.
- Ensure that your tech is up to date with the law: Sephora’s failure to comply with GPC signals was especially emphasized by the CA AG. Businesses should ensure that their websites have the capability to honor GPC signals as opt out of sale requests.
- Contracts matter: The Sephora settlement shows that it is not enough to claim that an entity is acting as a service provider or vendor to your business. Companies need to have the proper contractual terms required under the CCPA in order for their vendors to meet the definition of a “service provider” under the law. This will become even more important when the CPRA goes into effect.
- Take advantage of the right to cure: The Sephora settlement became public and led to a monetary penalty after the company failed to cure its alleged violations. Businesses can likely avoid this outcome by curing their alleged non-compliance with the law when notified by the CA AG. Additionally, failing to cure in this scenario led the CA AG to do a deeper dive of Sephora’s privacy practices and likely uncover additional violations. However, as previously mentioned, the right to cure will disappear as an affirmative right on January 1, 2023.
New Enforcement Examples
In addition to the Sephora settlement, the CA AG’s office also added thirteen new examples to its list of enforcement case examples on August 24, 2022. The new examples address the following issues: (1) failure to honor consumer opt-outs of sales; (2) non-compliant notice of financial incentive; (3) no request methods; (4) erroneous treatment of requests to know; (5) non-compliant privacy policy; (6) requiring consumers to waive/ limit CCPA rights; (7) non-compliant notice of collection; (8) non-compliant opt-out process; (9) missing notices; (10) non-compliant verification procedures; (11) non-compliant request to know; (12) non-compliant request to delete; and (13) non-compliant opt-out process. The enforcement case examples span a wide variety of Industries including: retail, food and beverage, hospitality, home improvement, technology, healthcare, medical devices, telehealth, fitness, fintech, data brokers, telecommunications, and adtech.
There are a number of lessons that businesses can also learn from these new enforcement examples in terms of how the CA AG’s office is enforcing the CCPA:
- When using web tracking technologies to make consumers’ personal information available to third parties in exchange for services like advertising or analytics, businesses must either offer consumers an opt-out mechanism or ensure that the third party is a CCPA-compliant service provider.
- Loyalty programs that offer financial incentives (including product discounts, service differences and/or reduced prices) for the collection of consumers’ personal information must post a CCPA-compliant Notice of Financial Incentive,
- Businesses cannot limit a consumer’s rights under the CCPA by requiring consumers to accept the business’s privacy policy and terms of service in order to exercise their rights under the CCPA.
- Links to notice at collection should send consumers to the relevant section of the policy.
- “Do Not Sell” links should have clear choices and toggle options. For example, when a consumer turned the toggle for “opt-out of sale of personal information” to “on”, the consumer would opt in to third-party cookies and the sale of their personal information.
- Consumers must be notified at the point of collection about the categories of personal information the business collected and the purposes for which it is used.
- Overly complicated and onerous processes to submit CCPA requests (e.g. requiring verification, and providing only one method to submit CCPA requests) is likely a violation of the CCPA.
- “Do Not Sell” links must lead to mechanisms that stop the sale of personal information. Links that only discuss cookie management or links that only work on certain browsers are insufficient.
- Failure to allow consumers to submit opt-out requests or requests to know via authorized agents may violate the CCPA.
- Employees that cover authorized agent requests should be trained in handling consumer inquiries appropriately (e.g. informed of CCPA requirements or how to direct consumers to exercise their CCPA rights).
- Privacy disclosures must be complete, yet also understandable to the average consumer.
- Dysfunctional links in opt-outs may constitute a violation of the CCPA.