Comprehensive privacy legislation is expanding across US states and the updated privacy law in California (the California Privacy Rights Act (“CPRA“)) is entering into force in January 2023. Meanwhile, the California’s Attorney General has announced the first enforcement settlement under the current California Consumer Privacy Act (the “CCPA“). This enforcement measure was taken after a wider enforcement sweep of online retailers conducted by the Attorney General.

According to the allegations, the French cosmetics retailer, Sephora used various third-party tracking technology on its website and app, which allowed third parties to monitor consumers as they were shopping. These allowed such third parties to create profiles about consumers by tracking which type of computer a consumer is using, the brand of cosmetics products or vitamins that a consumer puts in their “shopping cart,” and even a consumer’s precise location.

It was alleged, that Sephora failed to adequately disclose to its consumers that it was selling their personal information, as required under the CCPA, in its privacy policy. Moreover, the company failed to process users requests to opt-out of sale of their personal information via user-enabled global privacy controls. Such privacy controls allow consumers to opt out of all online sales in one step by broadcasting a “do not sell” signal across every website they visit, without having to click on an opt-out link each time. The Attorney General emphasized, that under the CCPA, companies must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link, the posting of which is also a special requirement under the CCPA.

Pursuant to the settlement, the company is subject to a USD 1.2 Million penalty, and in addition must comply with some additional injunctive terms, such as:

• Amend their online disclosures and privacy policy to include representation of selling personal information;
• Provide mechanisms for consumers to opt out of the sale of personal information;
• Conform its service provider agreements to the CCPA’s requirements; and
• Provide reports to the California Attorney General relating to the sale of consumers’ personal information, the status of its service provider relationships, and its efforts to honor the global privacy controls.

This case demonstrates the focus of California Attorney General’s enforcement policy towards online tracking, selling of personal information and compliance and opt-out mechanisms. It illustrates the considerable risk for companies doing business online in California which have not adequately implemented the required disclosures and opt-out mechanisms as required under the CCPA.

We will be happy to further assist with preparing to the CCPA, as well as additional privacy laws in the US, such as the Virginia Consumer Data Protection Act and the CPRA, which are entering into force in the beginning of 2023.

Kind regards,

Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation