French retailer Sephora became the first company to be penalized under the California Consumer Privacy Act (CCPA) for not disclosing to consumers that it sells their personal information, failing to respect users’ Global Privacy Control as an opt-out, and neglecting to correct these infractions by the deadline. The $1.2 million penalty is part of a settlement, so while Sephora doesn’t have to admit to wrongdoing, it must pay the fine; rectify its data sharing policy, avenues to opt out, and service provider agreements; and report on its progress to the attorney general. The Sephora case is significant because it:
- Clarifies a broad definition of “sale of data.” The Sephora settlement makes the definition of a sale clear: Any exchange of data for value — not explicitly monetary value — qualifies. This expands requirements for respecting consumers’ “do not sell my information” requests and opens more companies to CCPA investigations — the attorney general already sent violation notices to other organizations acting similarly to Sephora. The debate over what constitutes a sale will be moot next year, however, when the California Privacy Rights Act (CPRA) goes into effect and gives consumers the right to opt out of the sale or sharing of their personal information.
- Is the first privacy-exclusive CCPA settlement. Typically, organizations are investigated for tangible, adverse events such as a data breach. The Sephora case is the first CCPA settlement unrelated to a breach or security-related incident, setting the precedent that inadequate privacy compliance alone substantiates regulatory action.
- Will be the first of many cases. California’s Office of the Attorney General (OAG) has publicized its “enforcement sweep,” a series of ongoing investigations that notify noncompliant organizations, demanding they cure infractions within 30 days or face litigation. The sweeps have been thematic, targeting organizations with shared violations, business models, product/service offerings, etc., such as the investigation of online retailers and enterprises with loyalty programs. To date, over 250 CCPA complaints have been filed, and currently, there are other suits waiting for adjudication.
- Signifies the future of privacy regulations. California has the strongest US state privacy law to date. The issue of preemption in the federal privacy bill is becoming increasingly divisive, as California lawmakers (including, notably, Speaker of the House Nancy Pelosi) are unlikely to accept a federal bill that weakens protections for their constituents. Issues like sharing or selling data will become sticking points as the debate over a federal privacy bill continues.