American cosmetic retailer Sephora agreed to pay a $2.1 million fine to settle claims that it had violated the California Consumer Privacy Act (CCPA). This is the first CCPA enforcement action made public. California’s Attorney General found that Sephora failed to disclose to consumers that it was selling their personal information, within the meaning of ‘sale’ under the CCPA. The Attorney General also alleged that Sephora did not process user requests to opt-out of the sale of their information. The Attorney General alerted Sephora to these violations, but Sephora allegedly failed to cure the violation within the required timeframe.
As part of the settlement, Sephora is also required to:
- Revise its online disclosures and privacy policy to clarify that it sells data.
- Provide mechanisms for consumers to opt-out of the sale of their personal information.
- Adjust its service provider agreements to the CCPA’s requirements.
- Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor browser-enabled Global Privacy Control.
According to Attorney General Rob Bonta’s press release, he sent notices to several additional businesses that allegedly failed to process consumer opt-out requests. If those businesses do not cure their violations within 30 days, they could face similar consequences.
CLICK HERE to read the court-affirmed settlement in the case of the People of the State of California v Sephora USA, Inc. CLICK HERE to read the California Attorney General’s press release.