California AG Issues First Fine for CCPA Violations

Wiley Rein LLP
Contact

Privacy In Focus®

The California Attorney General (AG) made headlines in August by issuing a $1.2 million fine against online retailer Sephora to resolve allegations that the business violated the California Consumer Privacy Act (CCPA). This action represented a major shift in AG enforcement efforts, which had previously focused on issuing warning letters under the notice and cure provisions of the CCPA. In announcing the enforcement action, the California AG stated: “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”

The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling consumer data, not including a “do not sell my personal information” opt-out button on its website, and not honoring Global Privacy Control (GPC) signals. Sephora was provided a 30-day cure period but allegedly did not bring its practices into compliance during that time.

This enforcement action is notable for several reasons. First, it arose from the AG’s compliance sweep of online retailers, illustrating one of the multiple channels the AG has available to pursue investigations. Of note, AG investigations to date have frequently been triggered by consumer complaints. Additionally, this enforcement action is a clear sign that businesses must carefully evaluate whether their data sharing practices are a “sale” under the CCPA. The CCPA’s definition of sale is broad and captures significantly more activities than a straightforward transaction. Finally, the AG clearly signaled in this action that businesses must honor Global Privacy Control signals. In addressing this element of the settlement, the AG stated: “[t]echnologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses … ignore requests to opt-out of its sale.” Failure to do so will be treated as a CCPA violation.

In the countdown to implementation of the California Consumer Rights Act (CPRA) on January 1, 2023, the California AG’s office has not become complacent in its enforcement of the CCPA. Under the CPRA, the AG retains enforcement authority along with the newly created California Privacy Protection Agency (CPPA). Businesses should pay careful attention to these enforcement efforts and evaluate their data collection and use practices to ensure they comply.

© 2022 Wiley Rein LLP

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Wiley Rein LLP

Written by:

Wiley Rein LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide