Thu | Sep 1, 2022 | 3:29 PM PDT

Sephora has been fined $1.2 million for violating California's Consumer Privacy Act (CCPA), becoming the first company to be publicly fined under the landmark privacy law.

The French multinational beauty retailer allegedly failed to notify consumers that it was selling their personal information, and failed to process requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, according to a statement from California Attorney General Rob Bonta. 

The statement notes that this settlement is part of active efforts to enforce the CPAA, ultimately allowing consumers to tell companies to stop selling their information to third parties, including those signaled by the Global Privacy Control (GPC). 

Attorney General Bonta discusses the settlement:

"Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale.

I hope today's settlement sends a strong message to businesses that are still failing to comply with California's consumer privacy law. My office is watching, and we will hold you accountable. It's been more than two years since the CCPA went into effect, and businesses' right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."

On top of paying the $1.2 million fine, Sephora also must revamp its privacy policies. Specifically, the company will:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control
  • Conform its service provider agreements to the CCPA's requirements
  • Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control

California's Attorney General hopes that this settlement will highlight the fact the consumers have the right to fight commercial surveillance under the CCPA.

Nowadays, consumers are tracked everywhere they go online. Every item they look at, every website they visit, these corporations know about. Many large corporations also allow third parties to install tracking software so they can get every piece of data imaginable. 

This type of arrangement constitutes a sale of consumer information under the CCPA, which is acceptable as long as they notify consumers and give them a chance to opt out, which Sephora failed to do.

John Bambanek, Principal Threat Hunter at Netenrich, shares his thoughts on the settlement:

"As a fundamental rule, you can't tell your customers you are doing one thing (not selling their data), and then do another (sell their data). Whether by the California AG, the FTC, or some other regulator, less than truthful claims will eventually catch the eye of some regulator or enforcement official.

CISOs, at a minimum, should know what data they collect, why they collect it (or conversely, why they don't delete or discard it), and what external entities have access to it. Like a good asset inventory, organizations need a good information asset inventory with where that data is going."

Andrew Hay, COO at Lares Consulting, believes that CISOs everywhere should use this case as a wake up call:

"This event shows that California takes privacy seriously and that the CCPA has the teeth to enforce the stated requirements. Every CISO that conducts business in California, or is subject to CCPA, should now consider themselves on notice that the statute is as real as other regulatory mandates and that they should act accordingly to get their house in order.

The best thing a CISO can do is review their CCPA-specific policies with their respective legal and HR teams to ensure their house is in order and that they're not the next one on the CCPA's hit list."

What do you think of Sephora becoming the first company to be fined under the CCPA? Is $1.2 million enough? Share your thoughts in the comments below.

Tags: GRC, Privacy,