Sephora Inc.
Issued by California Attorney General on 2022-08-24
What happened
The California Attorney General reached a $1.2 million settlement with Sephora in the first public CCPA enforcement action. The investigation found that Sephora failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of the sale of personal information submitted via the Global Privacy Control (GPC) browser signal, and did not cure these violations within the 30-day notice period provided under CCPA. Sephora allowed third-party companies to install tracking software on its website and app that collected consumers' personal data, including browsing activity, in exchange for analytics and advertising services — which constitutes a 'sale' under CCPA. The company's privacy policy did not disclose this practice.
Articles violated
Lessons learned
The CCPA's definition of 'sale' includes sharing data with third parties in exchange for services, not just monetary transactions. Companies must honor Global Privacy Control (GPC) signals as valid opt-out requests. Third-party analytics and advertising trackers on websites may constitute a 'sale' of personal information under CCPA. This first enforcement action set the precedent that the California AG will actively pursue CCPA violations. All businesses subject to CCPA should audit their website trackers and data sharing practices.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Retail
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.