Governance & Risk Management , Government , Industry Specific

California Fines Sephora $1.2 Million for Privacy Violations

Retailer Accused of Selling Customer Data While Failing to Honor Opt-Out Requests
California Fines Sephora $1.2 Million for Privacy Violations
Source: Government of California

California has fined retailer Sephora $1.2 million for failing to comply with the state's privacy law.

See Also: How Enterprise Browsers Enhance Security and Efficiency

As part of a settlement agreement, Sephora has also agreed to make a range of changes, including making it clear that it sells customers' data to others, as well as honoring customers' requests to opt-out of that.

The settlement resolves allegations by the state's Department of Justice that Sephora violated the California Consumer Privacy Act, or CCPA, which went into effect in July 2020.

Sephora, based in Paris, sells personal care and beatify products online as well as via more than 2,600 stores worldwide. Its U.S. subsidiary is headquartered in San Francisco.

"We reached a settlement with Sephora for failing to disclose that it was selling consumer data, failing to honor requests to opt-out of sale, and failing to fix these violations," says Attorney General Rob Bonta. "The CCPA has been in effect for two years. There are no more excuses. Follow the law, honor consumers' rights, and process opt-out requests made via user-enabled global privacy controls."

The office of California's attorney general says Sephora had been warned that it was violating CCPA and given 30 days to rectify the problems, but failed to do so.

Sephora Responds

"Sephora respects consumers' privacy and strives to be transparent about how their personal information is used to improve their Sephora experience," a spokesperson tells Information Security Media Group.*

"It is important to note that Sephora uses data strictly for Sephora experiences. However, the California Consumer Privacy Act does not define 'sale' in the traditional sense of the term. 'Sale' includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads."

The company says that now, "consumers have the opportunity to opt-out of this personalized shopping experience by clicking the 'CA – Do Not Sell My Personal Information' link on the footer of the website or by using a browser that broadcasts the Global Privacy Control."

The company also emphasized that it was not the victim of a data breach, and that the settlement "does not constitute an admission of liability or fault by Sephora."

Settlement Agreement

Under the terms of the settlement agreement, beyond paying the $1.2 million fine, the attorney general says the retailer must also:

  • Clearly state via "its online disclosures and privacy policy" that it sells customers' data;
  • Give consumers the ability "to opt out of the sale of personal information," including via the Global Privacy Control approach;
  • Ensure all its agreements with all service providers stipulate that they must comply with CCPA rules;
  • Provide regular updates to the attorney general detailing its approach to the "sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control."

Privacy Business Case

The Sephora settlement provides "concrete risk figures" for any organization that does business in California, as it builds its business case for addressing the privacy rules, says privacy expert Michelle Dennedy, CEO of software-as-a-service platform PrivacyCode.

California's Privacy Probe Continues

Authorities say the probe of online retailers' privacy practices continues, and that notices were sent Wednesday "to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC."

The proposed GPC specification is designed to allow consumers to set a single "Do Not Sell" and "Object To Processing" flag. The CCPA mandates that all organizations that process California consumers' personally identifiable information offer such functionality.

Businesses contacted by the attorney general's office as part of the CCPA probe have 30 days to address the allegations before potentially facing sanctions.

But authorities warn that as of Jan. 1, 2023, the state will no longer be required to give suspected CCPA violators 30 days' notice to come into compliance. Instead, they may be immediately subject to enforcement actions.

*Update Aug. 25, 2022, 13:30 UTC: Adds comment from Sephora.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.