The California Attorney General has dropped a bombshell: the first enforcement settlement under the California Consumer Privacy Act (CCPA). Sephora, a French cosmetics brand, must pay $1,2 million in fines and abide by a set of compliance obligations.

It is alleged that Sephora failed to disclose to consumers it was selling their personal information; failed to honour user requests to opt out of sale via user-enabled global privacy controls and did not cure these violations within the 30-day period allowed by the law.

At issue in this case was Sephora’s sharing of information with third-party advertising networks and analytics providers. This case marks a considerable uptick in risk for companies doing business in California and preparing for the California Privacy Rights Act activation in January 2023. It is clear that the Attorney General is focusing on online tracking and the implementation of and compliance with global opt-out signals, such as the Global Privacy Control.

Sephora has said that it uses cookies “strictly for Sephora experiences” and that the CCPA does not define the word “sale” in the traditional sense of the word but uses it to describe the common practice of using cookies. Under the settlement, Sephora must let customers know that it sells their data and give them a way to opt-out.

Take-aways from this:

  • A French cosmetics brand was fined, not a large technological company.
  • A Global Privacy Control is a browser extension that automatically signals a consumer’s privacy preferences to all websites they visit without having to click on opt-out links one by one.
  • The Attorney General has been quoted as saying, “My office is watching, and we will hold you accountable…There are no more excuses.”
  • The CCPA’s notice and cure provision is expiring at the end of this year, which means that businesses must comply from the outset
  • The American Data Privacy Bill, currently before Congress, may further alter the rules and, in future, these enforcement actions could not occur
  • Interesting developments within the privacy sphere of the USA


The Sephora case: Do not sell – But are you selling?  

California fines Sephora $1.2 million for selling consumer data