top of page

In the first public CCPA enforcement, Sephora was fined $1.2 million

As part of the first public enforcement case brought under California's historic consumer privacy law, cosmetics company Sephora agreed to pay $1.2 million.

According to a statement issued by the California Attorney General on Wednesday, Sephora sold customers' personal information in violation of the California Consumer Privacy Act (CCPA), notwithstanding their requests that their information not be sold.

The CCPA is the nation's first and only active comprehensive state data privacy law, and it went into force in 2020. Virginia, Colorado, Utah, and Connecticut have all enacted their own privacy legislation that will go into force in 2023 as of the beginning of 2021. Congress is debating the necessity of and appropriate strength of a federal data privacy law.

Businesses must inform California residents of the sale of personal data and provide them with an opportunity to object under the CCPA. The corporation has 30 days to fix any alleged infractions of gaps in the law's enforcement, which is handled by the attorney general of California.

According to Bonta, Sephora was given 30 days to fix the reported problems.

Since 2020, California has been warning businesses to follow the law. Since the law's passage, a number of significant companies, including those in the technology, healthcare, retail, fitness, and telecommunications industries, among others, have received complaints from Bonta's office claiming their opt-out methods were inadequate.

During a recent "enforcement sweep" of internet merchants, his office found Sephora was selling the personal information of customers who had visited the business' website and requested that their information be kept private. On Tuesday, Bonta's office filed a case against Sephora, and on Wednesday, the retailer and the retailer struck an agreement in San Francisco County Superior Court.

"I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable," Bonta added in the press release.

The CCPA charges a $7,500 fine for each deliberate transgression.

A Sephora spokesman stated in an email that the company's operations "are already in compliance with the CCPA." The business did not consent to an admission of blame or liability as part of the settlement.

According to the settlement, Sephora must inform website users of its plans to sell their personal information, provide a method for customers to opt out, and abide by any requests it gets.

Within 180 days of the settlement, Sephora is also required to establish a monitoring program to evaluate the efficiency of its system for handling consumer opt-out requests. Sephora is required to abide by privacy requests sent to it directly through its website or through the Global Privacy Control, a feature that lets users refuse any sale of their personal information by any online merchant.

For a period of two years, Sephora must monitor and evaluate its system to make sure it works as intended. The retailer is required to provide yearly reports to the attorney general outlining its monitoring program, which must include system testing, a list of any flaws or gaps found, a list of the organizations it distributes customer data to, and a description of the personal information given.

"There are no more excuses," Bonta declared. "Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."

The California Privacy Rights Act (CPRA), which replaces the CCPA, will go into effect on January 1, 2023. The California Privacy Protection Act (CPRA), which imposes additional requirements on businesses, also establishes the California Privacy Protection Agency (CPPA) to carry out the new regulations.

In a press conference, Bonta remarked, "The kid gloves are coming off; we will hold you accountable."



bottom of page