On August 24, 2022, California Attorney General (AG) Rob Bonta announced a settlement with beauty products retailer, Sephora USA, Inc. (“Sephora”), resolving claims that Sephora violated the California Consumer Privacy Act (CCPA) for, among other things, failing to disclose to consumers that it was selling their personal information (including precise location data) and failing to honor opt-out requests via global privacy controls (GPC) broadcasted from users’ web browsers. The proposed settlement has been submitted to a California state court for approval.

This settlement is noteworthy in that it is the AG’s first CCPA enforcement action. After releasing the final proposed CCPA regulations in June 2020, businesses were given notice that enforcement would begin on or after July 1, 2020 (even as regulations were still being finalized, with additional amendments released in March 2021; rulemaking authority has since been assumed the California Privacy Protection Agency, which was established by the California Privacy Rights Act of 2020). Since that time, the AG has released a host of CCPA enforcement case examples that offered basic information about various situations where the AG had sent a notice of CCPA noncompliance to a covered entity, which then remedied the purported violation within the 30-day cure period currently allowed under the statute. The Sephora settlement is the first enforcement and monetary settlement involving the AG over alleged CCPA violations.

According to the AG’s complaint, Sephora allegedly installed third-party tracking technology on its website and mobile app that monitored and profiled user activity (including precise location data) to assist Sephora with ad targeting.  The complaint alleges that the consumer data was  packaged and sold by the third-party data company to other businesses.  The AG stated, “if companies make consumer personal information available to third parties and receive a benefit from the arrangement—such as in the form of ads targeting specific consumers—they are deemed to be “selling” consumer personal information under the law” and are required to give notice to the customers.

The complaint alleged that Sephora did not provide consumers with a clear and conspicuous “Do Not Sell My Personal Information” link (or two or more designated methods for submitting opt-out requests).  The complaint also asserted that Sephora allegedly failed to process GPCs or “user-enabled global privacy controls” that gives consumers the option to universally opt-out of all online sales with just an adjustment to their web browsers. After being informed of these alleged violations, the AG claimed that Sephora failed to cure within 30 days, prompting the AG investigation that led to this settlement.

Under the proposed settlement, Sephora agreed to pay $1.2 million in penalties and comply with various injunctive relief, agreeing to:

  • Provide notice to consumers that it sells personal information and that consumers have a right to opt-out;
  • Provide consumer opt-out requests made via GPC;
  • Conform its service provider agreements to the CCPA’s requirements; and
  • Implement a compliance program surrounding CCPA opt-out requests and provide an annual report to the CAG for a period of two years relating its compliance regarding its sale of personal information and compliance with CCPA opt-out requests, the status of its service provider relationships, and its efforts to honor GPC.

Messages the AG Hopes Businesses Receive

First, the AG is focused on the use of data tracking and what it calls “commercial surveillance” (including the sale of precise location data) that generally occurs without the full understanding of consumers. The language used by the AG echoes terms used by the Federal Trade Commission (FTC) in its recent Advance Notice of Proposed Rulemaking regarding potential trade regulations limiting commercial surveillance practices, among other things. While comprehensive, bipartisan federal data privacy legislation (e.g., the so-called ADPPA) remains in the U.S. Senate, data privacy enforcement continues to be a priority for the states (and the FTC).

Second, the enforcement and additional announcement that the AG has sent out additional notices to businesses alleging various failures to process consumer opt-out requests made via GPC privacy controls underscores that this particular violation is on the AG’s radar.

Third, the illustrative examples of prior CCPA investigations and notices show that the AG is receptive to working with businesses to remedy violations under the 30-day cure period currently allowed under the CCPA.  Still, looking ahead, it should be noted that the CCPA’s notice and cure provision, which mandates that businesses receive notice of a violation and an opportunity to cure before the CAG can bring an action, will expire on January 1, 2023.  Thus, with this grace period soon ending, businesses should reexamine their CCPA compliance to get ready to be operating within the CCPA’s requirements on a tightrope of sorts, without a safety net.

Photo of Ryan Blaney Ryan Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.