Do you use Google Analytics? Do you tell consumers that you do not sell personal information? If you answered yes to both of those questions, then this alert is for you! The California attorney general recently took the position that the use of third-party analytics is a sale, unless you have a service-provider contract in place. This alert explores the AG’s position and provides some practical guidance on what to do next.

Background

In June 2021, the California Attorney General notified Sephora that it may be violating various CCPA provisions. Sephora elected not to “cure” (i.e., fix) those issues during the 30-day grace period. (Practice tip: The right to cure disappears on January 1, 2023.) In September 2021, the parties entered into a tolling agreement. Then, on August 23, 2022, the AG sued Sephora alleging violations of the CCPA in the government’s first CCPA lawsuit. In the complaint, the AG focused on two issues: (1) global privacy controls (GPCs) and (2) sales.

The AG alleged that Sephora was not responding to GPCs. Simple enough; the AG has repeatedly stated (and tweeted) that companies must respect those signals. But things got wonky when the AG turned to sales. The AG highlighted that Sephora was using trackers (cookies, pixels, etc.) to send personal information to third parties, including data-analytics companies and advertising networks. The AG alleged such transfers constitute a sale because Sephora provided the personal information in exchange for free/discounted services without having a service-provider contract in place. Notably, the AG did not limit that analysis to just advertising disclosures: “Both the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA.” It bears repeating that point: The AG claimed that the use of third-party website analytics alone constitutes a sale (unless there is a service-provider contract). The AG also noted that, despite selling personal information, Sephora stated in its privacy policy that it does not sell personal information and did not include a “Do Not Sell My Personal Information Link” on its website.

The parties settled the next day, August 24th. Sephora agreed to pay a $1.2 million fine and adopt specific compliance measures. Sephora must disclose sales and honor opt-out requests—including those via GPCs. And, for the next two years, Sephora agreed to (1) maintain a program to monitor its compliance with opt-out requests and (2) review its data transfers to ensure they are legal (e.g., do they need and have a service-provider contract). Sephora also must provide regular updates to the government on those efforts.

The same day the AG announced the settlement, he also released an updated list of enforcement examples. Each reflects a situation where the AG notified the company of a violation, and the company cured the issue within 30 days. In the examples, the AG focused on a range of violations across a large swath of industries.

Key Takeaways

• GPCs must be respected. California has made it clear that companies need to honor GPCs.
• Website analytics are (likely) sales. You are selling personal information if you transfer personal information to analytics providers, unless you have a service-provider contract with the provider.
• No business is immune. The AG is not limiting enforcement activity to specific industries or violation types—any violation may trigger an enforcement action.

Action Steps

With the revised CCPA taking effect on January 1, 2023, now is a great time to do a 360-review of your CCPA compliance measures. But if you are looking for a more targeted approach, there are a few specific measures to consider given the AG’s claims against Sephora:

• Honor GPCs. Verify that your website responds to GPCs. (The California Privacy Protection Agency, which will enforce the CCPA starting January 1, 2023, has also taken the position that companies must honor GPCs.)
• Execute Service-Provider Contracts. Find and agree to your analytics provider’s service-provider contract to avoid the data transfer qualifying as a sale. (If it is a sale, the analytics may become less accurate because consumers can opt out of being tracked.) Google provides instructions on how to execute their contract. If your provider does not offer such a contract, consider:  
  • Disabling Data Transfers (safe). Consider not using the analytics provider if they do not offer a service-provider contract.
  • Updating Privacy Policy (safer). In lieu of disabling analytics, update your policy to acknowledge the sale and ensure you have an opt-out link on your website.
  • Changing Analytics Settings (riskier). Update your preferences to ensure the analytics provider cannot use the collected personal information for their own purposes. The AG may view that favorably because it captures a key element (limited use) of the service-provider relationship—but since the definition of “service provider” under the CCPA requires a contract, not having one in place poses compliance risks.
• Monitor Other States. Keep an eye on how regulators in other states interpret their sale restriction. (The states most likely to track California’s approach to analytics are Colorado and Connecticut because they share California’s definition of sale: an exchange for money or valuable consideration [and the California AG focused on the latter prong for his conclusion].)