And so it begins…

Today marked important precedence in what is to become the future of privacy––California Attorney General Rob Bonta issued the first public enforcement action under the California Consumer Privacy Act (CCPA).  And at $1.2M, this is not just a slap on the wrist. 

Why is this so important? Primarily because it is the first enforcement action ever taken, but also because it provides some insight into how companies will be held responsible. In this case, the enforcement action was largely over the definition of ‘sale’ AND it was after a notice with which they evidently did not comply. 

According to Courthouse News Service, the world’s largest retailer of cosmetics, Sephora, will have to pay $1.2 million in fines for violating CCPA by selling customers’ personal information and failing to comply with opt-out requests (Dinzeo, 2022).

Almost all businesses that receive such a notice to cure letter make changes to their behavior within the necessary 30 days, but Bonta said, “In Sephora’s case, they violated the law and they failed to cure the violation after receiving notice. They were not notifying their customers that they were collecting information, denying that they were selling it, and when they had an opportunity to cure the violation once we pointed it out, they failed to do so. Their actions compared to others was egregious.” It was also mentioned in the fine that Sephora was not respecting the Global Opt-out signal. While this was probably not the core issue that led to the levied fine, it is certainly something for companies to consider.

In a press conference today, Attorney General Bonta said, “We found Sephora’s actions unacceptable. Sephora failed to disclose to consumers that it was selling their personal information by making this information available to online third-party trackers in exchange for benefits like targeted advertising and discounted analytics.” 

In response, a Sephora spokesperson said, “We have always cooperated fully with the Office of the Attorney General and Sephora’s practices are already in compliance with the CCPA. We respect the perspective and guidance provided by the OAG and understand the importance of the continually evolving requirements around consumer privacy.” 

California’s Attorney General Bonta is setting the precedent that enforcement is only going to become more prevalent in the future.

Keep in mind, that the notice to cure period sunsets with CPRA going into effect. Bonta recently released this reminder about the cure period: “There will no longer be that 30-day cure period so businesses are going to have to comply from the outset and not wait for a notice from the Department of Justice.” 

If you’re a privacy expert,  it is not difficult to know if a company is compliant––and Bonta certainly has that expertise. However, he has been criticized for a lack of action or actually exercising his authority granted by CCPA having only sent out around 100 notices––and this could leave a lot of companies open to enforcement action once CPRA goes into effect.

“The OAG made clear that the making available of personal information to third parties in exchange for services, without proper use restrictions, is a sale,” said Michael Hellbusch, Partner at Rutan & Tucker. “In the complaint, the OAG alleges Sephora disclosed personal information about its website visitors to advertising networks, business partners, and data analytics providers in exchange for valuable consideration, i.e., free or discounted analytics and advertising benefits. Notably, the OAG concluded that the trade of personal information for analytics and for advertising each constitutes a sale under the CCPA. Reading between the lines, it is possible that Sephora did not consider either of these disclosures to be a ‘sale’.” 

Hellbusch also said, “Some have argued that CCPA’s definition of ‘sale’ requires there to be a quid pro quo exchange of money or other valuable consideration specifically in exchange for personal information. The OAG makes clear in the complaint that it considers providing access to consumer personal information in exchange for free or discounted analytics or advertising benefits to be a sale.”

It certainly looks like things are getting more serious and the stakes are increasing. Truyo president Dan Clarke said, “This is exactly why we developed the Truyo platform – to make it easy for US companies to comply. When CPRA goes into effect, it’s going to be a bit like the Wild West in terms of enforcement. Companies must prepare now so they’re not caught off guard. There will be little grace paid to those who claim ignorance.”

Sources

Dinzeo, M. (2022, August 24). California fines Sephora $1.2 million for selling consumer data. Courthouse News Service. Retrieved August 24, 2022, from https://www.courthousenews.com/california-fines-sephora-1-2-million-for-selling-consumer-data/#:%7E:text=SACRAMENTO%2C%20Calif.,We%20found%20Sephora’s%20actions%20unacceptable