Sephora is the first company to be publicly fined for violating California’s Consumer Privacy Act (CCPA).
California Attorney General Rob Bonta announced a settlement with Sephora to resolve allegations that the company violated the CCPA — the landmark data privacy law.
After conducting an enforcement sweep of online retailers, the Attorney General alleged that Sephora failed to:
- disclose to consumers that it was selling their personal information
- process user requests to opt-out of sale via user-enabled global privacy controls in violation of the CCPA
- and that it did not cure these violations within the 30 days currently allowed by the CCPA
According to the press release, the settlement is part of the Attorney General’s effort to enforce California’s comprehensive consumer privacy law that allows consumers to tell businesses to stop selling their personal information to third parties, including those signaled by the Global Privacy Control (GPC).
The settlement requires Sephora to pay $1.2 million in penalties and comply with essential terms, including:
- Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control;
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.
As a fundamental rule, “you can’t tell your customers you are doing one thing (not selling their data), and then do another (sell their data),” says John Bambenek, Principal Threat Hunter at Netenrich. “Whether by the California AG, the FTC, or some other regulator, less than truthful claims will eventually catch the eye of some regulator or enforcement official.”
In addition, as part of this ongoing effort to ensure businesses comply with data privacy laws, the Attorney General sent notices to several companies alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC. These businesses have 30 days to cure the alleged violations or face enforcement, like Sephora.
Bonta said he hoped the settlement sends a strong message to businesses still failing compliance with California’s consumer data privacy law. “My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
Every chief information security officer (CISO) that conducts business in California, or is subject to the CCPA, should consider themselves on notice that the statute is as real as any other mandates and that they should act accordingly to get their house in order, says Andrew Hay, COO at LARES Consulting. “The best thing a CISO can do is review their CCPA-specific policies with their respective legal and HR teams to ensure their house is in order and that they’re not the next one on the CCPA’s hit list.”
Firms need to re-examine their data protection strategies to ensure they meet reasonable security standards in an era of increasingly sophisticated cyber threats, explains Hank Schless, Senior Manager, Security Solutions at Lookout. “As we have now seen with this $1.2 million fine, breaches of privacy under CCPA can result in significant fines for organizations. This regulation will be the benchmark for future state and federal privacy regulations across the United States.”
Bambenek recommends that CISOs, at a minimum, should know “what data they collect, why they collect it (or conversely, why they don’t delete or discard it), and what external entities have access to it. Like a good asset inventory, organizations need a good information asset inventory with where that data is going is essential.”