California AG Issues First Fine for CCPA Violations

Kathleen Scott, Joan Stewart
Wiley Rein LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Privacy In Focus®

The California Attorney General (AG) made headlines in August by issuing a $1.2 million fine against online retailer Sephora to resolve allegations that the business violated the California Consumer Privacy Act (CCPA). This action represented a major shift in AG enforcement efforts, which had previously focused on issuing warning letters under the notice and cure provisions of the CCPA. In announcing the enforcement action, the California AG stated: “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”

The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling consumer data, not including a “do not sell my personal information” opt-out button on its website, and not honoring Global Privacy Control (GPC) signals. Sephora was provided a 30-day cure period but allegedly did not bring its practices into compliance during that time.

This enforcement action is notable for several reasons. First, it arose from the AG’s compliance sweep of online retailers, illustrating one of the multiple channels the AG has available to pursue investigations. Of note, AG investigations to date have frequently been triggered by consumer complaints. Additionally, this enforcement action is a clear sign that businesses must carefully evaluate whether their data sharing practices are a “sale” under the CCPA. The CCPA’s definition of sale is broad and captures significantly more activities than a straightforward transaction. Finally, the AG clearly signaled in this action that businesses must honor Global Privacy Control signals. In addressing this element of the settlement, the AG stated: “[t]echnologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses … ignore requests to opt-out of its sale.” Failure to do so will be treated as a CCPA violation.

In the countdown to implementation of the California Consumer Rights Act (CPRA) on January 1, 2023, the California AG’s office has not become complacent in its enforcement of the CCPA. Under the CPRA, the AG retains enforcement authority along with the newly created California Privacy Protection Agency (CPPA). Businesses should pay careful attention to these enforcement efforts and evaluate their data collection and use practices to ensure they comply.

© 2022 Wiley Rein LLP

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wiley Rein LLP | Attorney Advertising

Written by:

Wiley Rein LLP
Wiley Rein LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide