First Significant Enforcement Measure under CCPA Concludes with $1.2M Fine
31 August 2022
Comprehensive privacy legislation is expanding across US states and the updated privacy law in California (the California Privacy Rights Act (“CPRA“)) is entering into force in January 2023. Meanwhile, the California’s Attorney General has announced the first enforcement settlement under the current California Consumer Privacy Act (the “CCPA“). This enforcement measure was taken after a wider enforcement sweep of online retailers conducted by the Attorney General.
According to the allegations, the French cosmetics retailer, Sephora used various third-party tracking technology on its website and app, which allowed third parties to monitor consumers as they were shopping. These allowed such third parties to create profiles about consumers by tracking which type of computer a consumer is using, the brand of cosmetics products or vitamins that a consumer puts in their “shopping cart,” and even a consumer’s precise location.
Pursuant to the settlement, the company is subject to a USD 1.2 Million penalty, and in addition must comply with some additional injunctive terms, such as:
- Provide mechanisms for consumers to opt out of the sale of personal information;
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the California Attorney General relating to the sale of consumers’ personal information, the status of its service provider relationships, and its efforts to honor the global privacy controls.
This case demonstrates the focus of California Attorney General’s enforcement policy towards online tracking, selling of personal information and compliance and opt-out mechanisms. It illustrates the considerable risk for companies doing business online in California which have not adequately implemented the required disclosures and opt-out mechanisms as required under the CCPA.
We will be happy to further assist with preparing to the CCPA, as well as additional privacy laws in the US, such as the Virginia Consumer Data Protection Act and the CPRA, which are entering into force in the beginning of 2023.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation