• Regulations

The California Attorney General’s First Enforcement of CCPA


Rick Buck Chief Privacy Officer

On August 24, 2022, California Attorney General Rob Bonta made his first announcement of CCPA enforcement, issuing a $1.2 million dollar settlement with online retailer Sephora, Inc. Attorney General Bonta is sending a strong message that he intends to aggressively enforce the CCPA and pending CPRA.  If you are a business that shares information with advertising networks you need to be sure you are fully compliant under California privacy laws.

Sephora allegedly violated the CCPA by failing to meet many of the key requirements including:

  • Informing consumers they sell their personal information
  • Properly honoring Global Privacy Controls (GPCs) for opt-out of sale requests
  • Disclosing their sell/share practices in their privacy policy
  • Curing the alleged violations within the 30-day period

The focus of this enforcement centered on Sephora’s sharing personal information with third-party advertising networks.  The failure to cure led to a broader investigation of Sephora’s privacy practices.

In addition to a monetary fine, the settlement also imposes injunctive obligations on Sephora including:

  • Implement and maintain a program to assess and monitor the effectiveness of  processing opt-outs within 180 days of the settlement for the following two years
  • Conduct annual reviews of their websites and mobile applications to determine which companies they sell/share data with within 180 days of the settlement for the following two years
  • Share the assessment and reviews in an annual report detailing the:
    • Testing done
    • Errors or technical problems impacting the processing opt-out requests
    • Companies they sell/share personal information with
    • Whether the companies are considered service providers
    • Purpose for which information is made available
  • Update disclosures and privacy policy to make it clear that it sells data
  • Provide mechanisms for consumer opt-outs including GPC
  • Align service provider agreements to the CCPA’s requirements

Here’s a few things to consider to make sure that you are compliant:

  • Sale:  Based on this enforcement action, leveraging cookies and tracking technologies and sharing with advertisers is likely a sale and therefore:
  • Opt-out:  You must allow consumers  to opt-out of cookies.  Make sure your website can accommodate  “Do Not Sell My Personal Information” requests and that GPC or similar technologies are enabled to handle those requests
  • Manage Consent and Preferences:  Properly collect consent and preference signals and ensure they are shared with third parties across your ecosystem
  • Privacy Rights:  Provide easy access for consumers to exercise their privacy rights
  • Contract Service Providers:  Make sure that you properly identify your service providers and update your contracts so they are compliant with CCPA and CPRA
  • Right to Cure:  Leverage this while it’s available as the cure period sunsets 1/1/23.  Sephora may have avoided this outcome had they reacted earlier.
  • Privacy Notices:  Review your privacy policies on your websites, apps and point of collection.  Align them with CCPA and CPRA requirements.  Specifically disclose “sale” of personal information for advertising and analytics purposes and how to opt-out, and any activities that may be considered a “financial incentive”

WireWheel’s software solutions help you comply with privacy regulations including managing privacy rights and consents and preferences.

Rick Buck is the WireWheel Chief Privacy Officer and acts as a Privacy Advisor to WireWheel clients, helping them with the implementation and optimization of their privacy programs. Over the past 20 years, Rick has…