On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora resolving alleged violations of the California Consumer Privacy Act (CCPA). Although the CCPA has been in effect since January 2020, this marks the first time that an enforcement action under the statute has led to fines for a business.

According to a press release issued by Attorney General Bonta, his office conducted “an enforcement sweep” of large retailers in June 2021 to determine compliance with the CCPA. Sephora’s main alleged violation, as determined by Attorney General Bonta’s office, was its failure to comply with requests to not sell consumers’ personal information to third parties. Sephora also was alleged to have failed to notify consumers that Sephora sells their data to third parties, failed to provide a “Do Not Sell My Personal Information” option on the Sephora website, and ignored signals from the Global Privacy Control (“GPC”) tool requesting that users’ information not be sold. 

The last of these violations reveals an important determination by the Attorney General’s office: entities subject to the CCPA must comply with GPC signals. The GPC is a third-party browser plug-in designed to automatically and universally opt a user out of data processing and/or sale across different websites. The complaint in this case, as well as the FAQs about the CCPA on Attorney General Bonta’s website, make it clear that his office is backing the GPC as a tool for consumers—and complying with GPC signals is required under the CCPA. 

Sephora was notified of its alleged CCPA violations on June 25, 2021 and given a thirty-day period to remedy them, but failed to do so in the eyes of the Attorney General’s office. This thirty-day “notice and cure” period is currently required by the CCPA in order to give businesses a chance to fix issues before being subject to a fine or other enforcement actions. But, notably, as Attorney General Bonta’s press release explains, beginning January 1, 2023, the notice-and-cure mechanism sunsets, meaning that the Attorney General’s office can begin enforcement as soon as a violation is detected—without a thirty-day waiting period. This means that businesses should be even more vigilant to ensure they are compliant with the CCPA in order to avoid suffering hefty fines, with no opportunity to fix violations prior to enforcement.

The complaint against Sephora can be found here. The settlement agreement can be found here.

Attorney General Bonta claimed in a statement that the “settlement [with Sephora] sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”

Thompson Coburn’s attorneys are closely monitoring enforcement of and compliance with the CCPA, as well as developments in the privacy landscape more generally. For questions, please contact the Thompson Coburn lawyer with whom you usually work, the authors, or any member of the firm’s Cybersecurity, Privacy, and Data Governance practice group.

Jim Shreve is the chair of Thompson Coburn’s Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale and Christopher Collum are associates in Thompson Coburn’s Business Litigation group.