California Attorney General’s Office Announces First Public CCPA Enforcement Action

Robert Brown, Joseph Hansen, Max Mazzelli, Michael Rubin, Wesley Tiu
Latham & Watkins LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Latham & Watkins LLP

Aggressive enforcement may be on the horizon now that businesses have had more than two years to comply with California’s landmark privacy law.

On August 25, 2022, the California Attorney General (AG) announced that it had settled a complaint against Sephora alleging violations of the California Consumer Privacy Act (CCPA). The public settlement was the first since the CCPA became enforceable more than two years ago.

The Complaint

In its complaint, the AG alleged that Sephora failed to:

  • disclose to consumers that it was selling their personal information;
  • post a “Do Not Sell My Personal Information” link on its website and homepage;
  • process user requests to opt out of those sales via user-enabled global privacy controls (such as the so-called Global Privacy Control, or GPC, which is a browser plug-in that is intended to communicate a sale opt-out signal to every page a user visits); and
  • cure these violations within the 30-day cure period allowed by the CCPA.

According to the complaint, when Sephora sells products online, it also collects personal information about its customers, including the products viewed or purchased, geolocation data, cookies and other identifiers, and other electronic network activity information. Sephora then allegedly installed or allowed the installation of third-party trackers on its website and app. As described in its privacy policy, Sephora uses these trackers to provide third parties, namely advertising networks, business partners, and data analytics providers, with information about Sephora’s customers for the purpose of obtaining advertising and analytics. The AG alleged that the transfers of personal information via these trackers were “sales” because Sephora received free or discounted analytics and advertising benefits from those companies in exchange for its customers’ personal information.

The AG also claimed that Sephora did not process user requests to opt out of sales via the GPC. This allegation was based on a broader “enforcement sweep of large retailers to determine whether they continued to sell personal information when a consumer signaled an opt-out via the GPC,” according to the complaint. The AG said it conducted the test and investigation using “commercially available browser extensions to monitor network traffic involving third-party advertising and analytics providers,” and analyzing “how that traffic changed when the GPC sent its ‘do not sell’ signal.” The AG found that turning on the GPC did not affect the flow of customer data from Sephora via trackers to third parties.

Enforcement

As a result, on June 25, 2021, the AG notified Sephora of the alleged violations and gave the company 30 days to cure them. It is not clear why Sephora did not cure the alleged violations. The nature of the allegations suggests the claimed non-compliance could have been addressed, and the list of CCPA Enforcement Case Examples that the AG published shows instances in which businesses have successfully cured violations after receiving notices to cure (which is why the AG has not instituted any other public CCPA enforcement actions to date).

Sephora, however, allegedly failed to cure, leading to the instant enforcement action and settlement filed more than a year later. Sephora agreed to pay $1.2 million and comply with the following injunctive terms:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the GPC
  • Conform its service provider agreements to the CCPA’s requirements
  • Provide reports to the AG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC

Takeaways

  • The AG’s emphasis on the GPC is noteworthy. The AG’s Office created the GPC through the CCPA regulations, despite a strong argument that the CCPA did not authorize the AG’s Office to do so and that the GPC is in fact contrary to the CCPA. This argument was raised repeatedly during the CCPA rulemaking process, but no one has yet challenged the GPC regulation in court. As this complaint reflects, having created the GPC concept through rulemaking, the AG is now aggressively pursuing compliance with the GPC, with this settlement reinforcing the AG’s view that the GPC is a valid and enforceable CCPA requirement. In addition, in conjunction with the disclosure of the settlement, the AG announced that it sent notices to a number of other businesses alleging a failure to recognize global privacy controls.
  • The AG also supplemented a list of CCPA Enforcement Case Examples that it published last year with additional illustrative examples of situations in which it has sent notices of alleged non-compliance. The updated examples address alleged non-compliance related to opt-out processes, failure to accept requests to know and delete, failure to allow consumers to submit opt-out requests or requests to know via authorized agents, and insufficient and non-compliant notices or privacy policies.
  • The AG’s press release on the settlement strongly signaled that the AG’s Office is moving towards a more aggressive enforcement posture now that businesses have had more than two years to comply with the CCPA and the mandatory notice-to-cure period is expiring on January 1, 2023:

I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.

Companies should take stock of the lessons learned from the Sephora settlement as they consider the additional steps they will need to take before the beginning of next year to comply with the CCPA amendments promulgated by the California Privacy Rights Act.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Latham & Watkins LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Latham & Watkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide