Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireCybersecurity News

Sephora gets $1.2m fine for CCPA data privacy violation

By Maria Henriquez
compliance-security-fp1170.jpg

Image by eamesbot via Freepik

September 2, 2022

Sephora is the first company to be publicly fined for violating California’s Consumer Privacy Act (CCPA).

California Attorney General Rob Bonta announced a settlement with Sephora to resolve allegations that the company violated the CCPA — the landmark data privacy law.

After conducting an enforcement sweep of online retailers, the Attorney General alleged that Sephora failed to:

  • disclose to consumers that it was selling their personal information
  • process user requests to opt-out of sale via user-enabled global privacy controls in violation of the CCPA
  • and that it did not cure these violations within the 30 days currently allowed by the CCPA

According to the press release, the settlement is part of the Attorney General’s effort to enforce California’s comprehensive consumer privacy law that allows consumers to tell businesses to stop selling their personal information to third parties, including those signaled by the Global Privacy Control (GPC). 

The settlement requires Sephora to pay $1.2 million in penalties and comply with essential terms, including:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control; 
  • Conform its service provider agreements to the CCPA’s requirements; and 
  • Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control. 

As a fundamental rule, “you can’t tell your customers you are doing one thing (not selling their data), and then do another (sell their data),” says John Bambenek, Principal Threat Hunter at Netenrich. “Whether by the California AG, the FTC, or some other regulator, less than truthful claims will eventually catch the eye of some regulator or enforcement official.”

In addition, as part of this ongoing effort to ensure businesses comply with data privacy laws, the Attorney General sent notices to several companies alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC. These businesses have 30 days to cure the alleged violations or face enforcement, like Sephora. 

Bonta said he hoped the settlement sends a strong message to businesses still failing compliance with California’s consumer data privacy law. “My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Every chief information security officer (CISO) that conducts business in California, or is subject to the CCPA, should consider themselves on notice that the statute is as real as any other mandates and that they should act accordingly to get their house in order, says Andrew Hay, COO at LARES Consulting. “The best thing a CISO can do is review their CCPA-specific policies with their respective legal and HR teams to ensure their house is in order and that they’re not the next one on the CCPA’s hit list.”

Firms need to re-examine their data protection strategies to ensure they meet reasonable security standards in an era of increasingly sophisticated cyber threats, explains Hank Schless, Senior Manager, Security Solutions at Lookout. “As we have now seen with this $1.2 million fine, breaches of privacy under CCPA can result in significant fines for organizations. This regulation will be the benchmark for future state and federal privacy regulations across the United States.”

Bambenek recommends that CISOs, at a minimum, should know “what data they collect, why they collect it (or conversely, why they don’t delete or discard it), and what external entities have access to it. Like a good asset inventory, organizations need a good information asset inventory with where that data is going is essential.”

KEYWORDS: CCPA cyber security data privacy information security security management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • face-recognition-freepik1170x658.jpg

    Clearview AI fined over $8 million for data privacy violation

    See More
  • Generic Image for Cyber Security

    Sony Data Breach Gets $390,000 Fine in UK

    See More
  • Mark Ruchie security podcast news header

    As data privacy gets stricter, is zero trust the answer?

    See More

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing