California Attorney General Rob Bonta has announced a major settlement under the California Consumer Privacy Act (CCPA), and it will cost Sephora, Inc. a whopping $1.2 million in penalties. According to the release from Bonta’s office, the settlement arose from an enforcement sweep against online retailers during which the AG’s office alleged that Sephora failed to disclose to consumers that it was “selling” their personal information (as defined under the CCPA) and that it failed to process user requests to opt out of any sale, including those received via the Global Privacy Control (GPC). The complaint stated that Sephora was notified on June 25, 2021 of the alleged violations of the CCPA and thus had 30 days to cure. According to the complaint, “by July 26, 2021, Sephora had failed to take any of the following steps:
· Sephora failed to post a “Do Not Sell My Personal Information” link on its website and homepage;
· Sephora failed [to] respond to process consumer opt-outs via the GPC.”
In addition to the imposition of the $1.2 million penalty (which goes to the Consumer Privacy Fund as provided in the CCPA), the settlement agreement includes obligations on Sephora to report to the AG on an annual basis and (1) implement and maintain a program to assess and monitor its processing of opt-out requests along with an analysis of any errors or technical problems encountered in processing opt-outs via GPC and steps taken to remediate or fix; and (2) conduct a regular review of its website and mobile applications and document names of entities to which Sephora makes personal information available, the purpose for sharing, and whether they are “service providers,” along with other requirements. The first report will be required to be filed within 180 days of the effective date of the settlement agreement and for 2 years thereafter.
Pay attention to your email boxes: in addition to announcing the Sephora settlement, AG Bonta also said that his office today sent notices to “a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC.” Businesses that receive letters today have 30 days to cure the alleged violations or face the same fate as Sephora – enforcement action from the AG’s office.
If you have any questions about your CCPA compliance program, or need to get one implemented, contact the Mintz Privacy Team.