As we discussed last year, the California Attorney General’s Office (“OAG”) has been wielding its enforcement authority under the California Consumer Privacy Act since the law became enforceable in July 2020. But for two years, OAG’s efforts took place largely out of the public eye: OAG sent confidential notices of violation to businesses it believed were out of compliance, and those businesses quietly brought their practices into compliance within CCPA’s 30-day cure period. As a result, the only information publicly released by OAG about its enforcement efforts has consisted of anonymous Enforcement Case Examples.

That all changed last Thursday, when OAG announced its first public CCPA enforcement action via a press release and livestreamed press conference with AG Rob Bonta. The enforcement action, against cosmetics retailer Sephora, led to a settlement that calls for Sephora to pay $1.2 million in civil penalties and requires the company to comply with several injunctive terms.

The case offers some important takeaways for businesses subject to CCPA and will soon be subject to CPRA (which we’re now apparently pronouncing “sipra”?) when it becomes operative in January.

Case Background

The OAG’s complaint against Sephora centers on the company’s use of tracking tools such as cookies, pixels, and software development kits (SDKs) provided by third-party analytics and advertising companies on its website and mobile app. As the complaint explains, Sephora allowed those third parties to collect personal information about its users through their tracking tools. That personal information included products that customers viewed (including products that could be used to infer information about health conditions, like prenatal and menopausal support vitamins), geolocation data, and technical information about customers’ operating systems and browser types.

Sephora did not hide this activity. To the contrary, its online privacy policy expressly stated that it shared consumer’s geolocation data and online activity information with third parties including “advertising networks, business partners, [and] data analytics providers.”

The problem, according to OAG, was that for California residents, this sharing constituted a “sale” of personal information under CCPA. Although Sephora may not have received monetary payments from the providers in exchange for users’ information, OAG alleged that the sharing was still part of a quid pro quo in which Sephora would receive “discounted or higher-quality analytics and other services derived from the data about consumers’ online activities, including the option to target advertisements to customers that had merely browsed for products online.” Those companies, according to the complaint, could in turn use the personal information they received to create detailed profiles of consumers, which are “frequently kept . . . and used for the benefit of other businesses, without the knowledge or consent of the consumer.”

Sephora, the complaint alleges, violated CCPA’s requirements with respect to these “sales” of personal information by: (i) falsely claiming in its privacy policy that it did not sell consumers’ personal information, (ii) failing to provide consumers with a “Do Not Sell My Personal Information” link, and (iii) failing to detect or process opt-out signals sent by “user-enabled global privacy controls,” such as the Global Privacy Control (“GPC”).

OAG notified Sephora of these alleged violations, which kicked off CCPA’s 30-day cure period. Sephora, however, failed to cure any of the alleged violations within that period, causing OAG to launch an in depth investigation that led to the enforcement action.

Under a Judgment and Permanent Injunction resolving the case, Sephora agreed to pay a $1.2 million penalty and also to comply with various injunctive provisions, including requirements that it:

• Comply with CCPA’s requirements for sales of personal information, including by providing consumers with notice and an opportunity to opt out;
• Process requests to opt out of sales that are communicated through the GPC;
• For two years, annually review its website and mobile app to determine the entities to which it makes consumers’ personal information available and the purposes for which it does so, and the effectiveness of its processing of consumer opt-out requests, and report the results of that review to OAG; and
• For any third parties to whom it makes consumers’ personal information available and that Sephora contends are “service providers” under CCPA; enter into CCPA-compliant service provider contracts and properly configure those services to reflect the providers’ service provider status.

Key Takeaways for Businesses

1. For OAG, Third-Party Analytics and Adtech = Selling (Usually)

Since CCPA was adopted in 2018, there has been some ambiguity about whether the sharing of information collected online with third party advertising and analytics providers constitutes a “sale” of that information. The Sephora case makes abundantly clear that OAG believes it is, at least in most cases. As the complaint explains, “if companies make consumer personal information available to third parties and receive a benefit from the arrangement—such as in the form of ads targeting specific consumers—they are deemed to be ‘selling’ personal information under the law,” unless an exception to the definition of “sale” applies.

The question will be rendered partially moot when CPRA becomes operative in January, thanks to that law’s regulation of “sharing” (defined as any disclosure of a consumer’s personal information to a third party for “cross-context behavioral advertising”) much as CCPA regulates “selling.” But OAG’s position in the Sephora case that “the trade of personal information for analytics” can be a “sale” will still have implications for third-party analytics (as opposed to advertising) tools that don’t implicate CPRA’s restrictions on “sharing.”

2. Analytics and Adtech Providers Can Be Service Providers, But Only if Their Services are Properly Configured and Valid Service Provider Contracts are in Place

Notwithstanding point #1, the Sephora case also confirms that third-party analytics and advertising providers can qualify as “service providers,” such that sharing personal information with them would not constitute a “sale” under CCPA. But businesses must take the steps necessary to establish a service provider relationship.

To that end, the business must sign a contract with the provider that meets CCPA’s requirements for service provider contracts. But when it comes to analytics and adtech providers, that may not be enough: as the Sephora judgment alludes to, certain providers still require businesses to configure their tools to bring the provider within CCPA’s “service provider” definition.

As an example, Google offers a “Restricted Data Processing” setting for many of its analytics and advertising tools. When that setting is enabled, Google’s use of information collected through those tools is subject to a CCPA Service Provider Addendum and Google will act only as a “Service Provider” under CCPA as to that information.

CPRA could render this issue moot for some advertising providers’ services: the proposed regulations implementing CPRA released in July by the California Privacy Protection Agency state categorically that “[a] service provider or contractor cannot contract with a business to provide cross-contextual behavioral advertising,” and that “[a] person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor.”

But again, for any third-party analytics or advertising tools that don’t involve that sort of advertising, businesses contending that the providers are “service providers” will need to ensure that both their contracts and configuration settings for the tools support that position.

3. The OAG is Serious About GPC

One of the more controversial aspects of the Sephora case is likely to be its focus on Sephora’s failure to process opt-out requests communicated via user-enabled global privacy controls like the GPC.

Notably, the statutory text of CCPA does not expressly require businesses to recognize or respect these requests. But CCPA regulations issued by OAG in 2020 require businesses that collect personal information online to “treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request” to opt out. Notably, OAG spent nearly three single-spaced pages justifying that directive in the Final Statement of Reasons issued along with those regulations. One wonders whether, on this particular topic, OAG doth protest too much…

In any event, OAG later endorsed the GPC as a valid user-enabled global privacy control, both via a tweet by former AG Xavier Becerra on Data Privacy Data in January 2021, and later in CCPA FAQs posted on its website that declare that “[u]nder law,” an opt-out request submitted via the GPC “must be honored by a covered business as a valid consumer request to stop the sale of personal information.” In line with that theme, OAG’s announcement of the Sephora case heralded technologies like GPC as “a game changer for consumers looking to exercise their data privacy rights” and repeatedly warned that businesses must respect opt-out requests made through these technologies.

Thus, despite any ongoing debates about the validity and implementation of the requirement under CCPA for businesses to respect opt-outs communicated via the GPC, the Sephora case makes clear that OAG intends to vigorously enforce that requirement going forward.

4. Don’t be an Outlier When Dealing with OAG

Given that Sephora’s practices—not treating the sharing information with third-party analytics and advertising providers as involving “sales” of personal information, and not processing opt-out requests sent via the GPC—aren’t unique among businesses with an online presence, a key question is why OAG singled the company out for its first public enforcement action.

The answer, based on comments by AG Bonta during his press conference, seems to lie in the company’s failure to timely correct those issues after it received a notice of violation from OAG.

To that end, AG Bonta noted that the “overwhelming majority” of companies to whom his office has sent confidential notices of violation have quickly addressed the identified issues and brought their practices into compliance within the 30-day cure period provided by CCPA. Sephora, by contrast, failed to cure any of the identified violations with that period, which according to AG Bonta made the company “an outlier,” whose actions compared to others, were “egregious” and justified the “rare” step of filing a public enforcement action.

The lesson for businesses: when dealing with OAG, don’t be an outlier.

5. The Cure Period’s Days are Numbered, and OAG is Lying in Wait

Another theme that featured prominently in OAG’s announcement was the expiration, at the end of 2022, of CCPA’s notice and cure provision for administrative enforcement actions. AG Bonta’s comments suggest that once CPRA becomes operative and the cure period is gone, his office isn’t likely to give businesses second chances:

My office is watching, and we will hold you accountable. It’s been more than two years since CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses.

In other words, come January, ignore CPRA’s requirements at your peril.