California Attorney General Rob Bonta (“AG”) recently settled an enforcement action under the California Consumer Privacy Act of 2018 (the “CCPA”) with important implications for every business that tracks consumer behavior on its website. While the CCPA only applies to businesses collecting personal information from California residents, many states (and the federal government) have adopted or are considering similar comprehensive privacy laws, so lessons learned from the California enforcement action are instructive, even for companies not collecting information about Californians.

Among other provisions, the CCPA requires companies that collect personal information from California residents and then “sell” that information to third parties to notify consumers that they sell such information and allow consumers to “opt out” of those sales. The opt-out rule has led to the widespread use of the “Do Not Sell My Information” icons on many website home pages, but the CCPA also requires companies to honor opt-out requests from consumers using “user-enabled global privacy controls” or “GPC,” which is a browser setting that notifies websites of a user’s privacy preferences.

During the summer of 2021, the California AG launched an “enforcement sweep” and tested websites to see whether online retailers continued to sell personal information when a consumer signaled it wished to opt out of those sales using GPC. The AG’s Office identified more than 100 companies it deemed to be in violation of the CCPA. It then provided each company with notice of the violations and the opportunity to fix or cure them within 30 days. (The AG was required to provide notice and an opportunity to cure under the current CCPA, but that requirement expires on January 1, 2023 when the revisions under the California Privacy Rights Act, or CPRA, go into effect. Under the CPRA, the AG will no longer be obligated to give a company an opportunity to cure a violation before commencing an enforcement action.)

Sephora, Inc. (“Sephora”), one of the world’s largest retailers of beauty products, was one of the offending companies the AG identified in its enforcement sweep. Sephora was using third party tracking software to collect information about consumers’ activity on Sephora’s website, which it then shared with its business partners, including marketing and analytics companies. The marketing and analytics companies would use the information to help Sephora serve targeted advertisements to the consumer through the marketing or analytics company’s advertising network. The AG took the position that Sephora had violated the CCPA by (1) failing to tell consumers it was selling personal information it had collected by tracking their online activity and that they had the right to opt out of such selling; (2) failing to provide a clear and conspicuous “Do Not Sell My Personal Information” link; and (3) ignoring consumers’ requests to opt out of sales of its personal information signaled through GPC. The AG also alleged Sephora had violated the state Unfair Competition Law by explicitly stating in its Privacy Policy that “we do not sell personal information.” The AG dismissed Sephora’s argument that the analytics companies were “service providers” (and sharing with a service provider does not constitute “selling”) because Sephora did not have agreements in place with the analytics companies that met the requirements under the CCPA for service provider contracts. When Sephora failed to correct the alleged violations within the allotted 30-day cure period, the AG brought an enforcement action.

On August 24, 2022, the California AG announced Sephora had agreed to pay $1.2 million in penalties to settle the CCPA investigation. Under the settlement, Sephora also agreed to take corrective actions for violations of the CCPA and be monitored for a period of two years. This settlement was clearly designed to send a strong deterrent message and put industry on notice that further enforcement actions are coming. In his press release announcing the Sephora settlement, the California AG issued a stern warning:

What Does Sephora’s $1.2 Million Settlement with the California AG Mean to Other Companies?  Three takeaways:

1. Definition of “Sale” under CCPA is very broad and includes not only monetary consideration, but benefits that have any value: Companies that do business with California consumers should immediately review their websites to determine if tracking software (e.g., cookies, pixels, software development kits) is being used for analytics, advertising, or other similar services. If your organization uses third-party tracking technology on its website and you are receiving any sort of analytics, data, or other benefit from it, the AG believes you are “selling” data under CCPA and that you should be providing notice to consumers and an opt-out mechanism. If you use a vendor for analytics, targeted advertising, or related services, your contract with the vendor should be updated, if necessary, to specify the vendor is a service provider and to comply with the CCPA service provider requirements. The vendor cannot be allowed to access personal data of any consumer who has opted out of the sale of their information and cannot use any of the data you share with them to benefit themselves or their other customers.
2. Ensure privacy notices clearly disclose any potential “sale” of personal information. If you share any personal data with third parties, include a “Do Not Sell My Personal Information” link on your website or in your mobile applications.  The California AG faulted Sephora for falsely claiming on its website that it did not sell personal information and for failing to post an easy-to-find “Do Not Sell My Personal Information” link.  Privacy policies need to be clear and understandable to the average consumer and disclose the sale of any personal information.
3. Verify that your website has the capability to detect and honor GPC signals. Even if your website contains a “Do Not Sell My Personal Information” link, that is not sufficient to comply with the CCPA.  Under the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link.  To avoid liability, your website MUST recognize and process any GPC signal or other similar privacy control signal sent by a browser.

Is the Sephora settlement relevant to companies not doing business with California consumers?

No… and yes. The Sephora settlement relates only to California law, but four other states have enacted comprehensive privacy laws, all of which contain opt-out rights for sales of personal information. Many other states have similar laws under consideration. The federal law being debated in Congress, the American Data Privacy and Protection Act (“ADPPA”), which might have brought some order to the increasing morass of state privacy laws, has become bogged down in a debate over preemption of state laws, particularly the CCPA. In any event, even if it survives the legislative process, the ADPPA currently also contains a right to opt out of data transfers and requires companies to honor opt-out requests signaled using GPC. Additionally, in August 2022, the Federal Trade Commission announced that “it is exploring rules to crack down on harmful commercial surveillance” of consumers’ online activities for marketing purposes. In light of the state and federal laws developing around the country, Sephora-like enforcement actions are likely to occur in states other than California.

Conclusion

Companies who collect information about consumers’ actions on their website and share that information with analytics providers or other third parties should evaluate their activities against the rules articulated in the Sephora settlement. If the third parties are intended to be “service providers,” any steps needed to ensure the third parties will qualify as “service providers” – including the creation of an appropriate service provider agreement – should be taken. If the company’s activities amount to “selling” consumers’ data, all disclosures and opt-out rights should be provided. The future holds a significant threat of litigation – particularly, but not only, in California – for businesses that do not comply with these evolving data protection laws.

Follow Hinckley Allen on LinkedIn and Twitter for the latest news and updates.