Sephora gets $1.2m fine for CCPA data privacy violation

Image by eamesbot via Freepik

Sephora is the first company to be publicly fined for violating California’s Consumer Privacy Act (CCPA).

California Attorney General Rob Bonta announced a settlement with Sephora to resolve allegations that the company violated the CCPA — the landmark data privacy law.

After conducting an enforcement sweep of online retailers, the Attorney General alleged that Sephora failed to:

disclose to consumers that it was selling their personal information
process user requests to opt-out of sale via user-enabled global privacy controls in violation of the CCPA
and that it did not cure these violations within the 30 days currently allowed by the CCPA

According to the press release, the settlement is part of the Attorney General’s effort to enforce California’s comprehensive consumer privacy law that allows consumers to tell businesses to stop selling their personal information to third parties, including those signaled by the Global Privacy Control (GPC).

The settlement requires Sephora to pay $1.2 million in penalties and comply with essential terms, including:

Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control;
Conform its service provider agreements to the CCPA’s requirements; and
Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.

As a fundamental rule, “you can’t tell your customers you are doing one thing (not selling their data), and then do another (sell their data),” says John Bambenek, Principal Threat Hunter at Netenrich. “Whether by the California AG, the FTC, or some other regulator, less than truthful claims will eventually catch the eye of some regulator or enforcement official.”

In addition, as part of this ongoing effort to ensure businesses comply with data privacy laws, the Attorney General sent notices to several companies alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC. These businesses have 30 days to cure the alleged violations or face enforcement, like Sephora.

Bonta said he hoped the settlement sends a strong message to businesses still failing compliance with California’s consumer data privacy law. “My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Every chief information security officer (CISO) that conducts business in California, or is subject to the CCPA, should consider themselves on notice that the statute is as real as any other mandates and that they should act accordingly to get their house in order, says Andrew Hay, COO at LARES Consulting. “The best thing a CISO can do is review their CCPA-specific policies with their respective legal and HR teams to ensure their house is in order and that they’re not the next one on the CCPA’s hit list.”

Firms need to re-examine their data protection strategies to ensure they meet reasonable security standards in an era of increasingly sophisticated cyber threats, explains Hank Schless, Senior Manager, Security Solutions at Lookout. “As we have now seen with this $1.2 million fine, breaches of privacy under CCPA can result in significant fines for organizations. This regulation will be the benchmark for future state and federal privacy regulations across the United States.”

Bambenek recommends that CISOs, at a minimum, should know “what data they collect, why they collect it (or conversely, why they don’t delete or discard it), and what external entities have access to it. Like a good asset inventory, organizations need a good information asset inventory with where that data is going is essential.”

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.