2 min read

Sephora Fined $1.2M for Violating CCPA

How often do you shop online? If you’ve digitally browsed anything from clothing to an apartment in the past few years, you may be familiar with the typical message that pops up when you visit a retail site: We collect your data. Would you like to opt-out? Even then, they usually make it easier to accept giving them your data than it is to decline and tell them NO.  

Now imagine you go through the extra effort to say no, just to find out that the website is selling your data (captured in a web tool called ‘cookies’) anyway. That’s exactly what happened to Sephora customers, who discovered their opt-out requests were being ignored. Their data was sold without their permission even after expressly saying ‘no’ by opting out, and no notice was given as to what was being done with it. 

Last week, the Attorney General of California reached a settlement with Sephora, a company that operates 2700 stores worldwide. Consumers are getting real-time answers to their questions: What happens to the data that websites collect? Do these privacy settings actually protect my right to decide what happens to my data? 


Sephora's Privacy Violation

Under the California Consumer Privacy Act, more commonly known as the CCPA, businesses are required to disclose to customers when they are collecting and/or selling their personal data. That covers the right to know who is gathering and buying their information, what is collected, and why it’s being gathered and sold. It has been compared to the European Union’s GDPR in terms of its wide-reaching protection of consumer data. 

Despite the CCPA goes into effect in July 2020, Sephora was found noncompliant with the law’s disclosure requirements two years later. Customers who had chosen to opt-out of data collection had that legal right disregarded and their information gathered just like every other visitor. Meanwhile, the store was unclear about what was happening to all that personally identifying information (PII). 

What that means for consumers: Whether you accepted or rejected their data collection, Sephora was keeping track of users’ cookies anyway. If you went on their site, you would be retargeted by ads for other products. 

Sephora's Settlement

Attorney General Rob Bonta fined the company $1.2M for failing to fix these oversights in the two years since the CCPA went into effect. 

In response, spokespeople from Sephora pointed out that the CCPA broadly defines the “Sale” of data to include tracking cookies, so they could sell you more relevant Sephora products and advertise sales. This is outside of the colloquial understanding of the term, according to the company. 

Nonetheless, in compliance with the settlement, the website now displays a link to actually opt out of data collection. That includes consumers who use Global Privacy Controls (GPC), which refers to specific privacy controls that the browser can automatically broadcast to websites that you visit. This removes the need to constantly opt out of sites' data collection.

In addition to honoring opt-out requests through the website, Sephora now also clearly states their privacy and data collection policies when you do so. They are also required to notify any third-party service providers in writing that they must follow CCPA too. They must honor opt-out requests either through the pop-up on their site or with GPC

Sephora will also update the Attorney General on how they’re working to ensure data privacy for their customers on a regular basis. 

How Does CCPA Apply To Idaho Businesses?

Following the settlement, other businesses that service customers in California are next in the hot seat. The CCPA stipulates that any organization that handles a Californian customer’s PII must accept privacy settings set with GPC, and yes, this applies to companies based outside of the state. Sephora, for instance, has headquarters in Paris. Currently, the CCPA permits 30 days’ notice to become compliant with their regulations, but even that courtesy will disappear in 2023. Starting in January, violators may be immediately subject to fines and other disciplinary action. 

The CCPA applies to California residents, but the rising focus on privacy rights virtually guarantees that more legislation will follow as the cyber-landscape changes and advances. Follow our blog for tips on staying safe as well as the latest news in information security! 

Checklist for Digital Offboarding of Employees

Checklist for Digital Offboarding of Employees

Digital footprints cover today's modern workplace. Employees begin making these the moment they're hired. They get a company email address and...

Read More
The 101 Guide to the California Consumer Privacy Act (CCPA)

The 101 Guide to the California Consumer Privacy Act (CCPA)

California is well-known for spearheading game-changing regulations. Lawmakers created the California Consumer Privacy Act (CCPA) as an alternative...

Read More
Most Businesses Don't Have This Executive Role But Should

Most Businesses Don't Have This Executive Role But Should

If your business falls under any data compliance regulations such as HIPAA, CMMC, PCI, SOC 2, etc., you may have been told you need a security...

Read More