The California Attorney General has dropped a bombshell: the first enforcement settlement under the California Consumer Privacy Act (CCPA). Sephora, a French cosmetics brand, must pay $1,2 million in fines and abide by a set of compliance obligations.
It is alleged that Sephora failed to disclose to consumers it was selling their personal information; failed to honour user requests to opt out of sale via user-enabled global privacy controls and did not cure these violations within the 30-day period allowed by the law.
At issue in this case was Sephora’s sharing of information with third-party advertising networks and analytics providers. This case marks a considerable uptick in risk for companies doing business in California and preparing for the California Privacy Rights Act activation in January 2023. It is clear that the Attorney General is focusing on online tracking and the implementation of and compliance with global opt-out signals, such as the Global Privacy Control.
Take-aways from this:
- A French cosmetics brand was fined, not a large technological company.
- A Global Privacy Control is a browser extension that automatically signals a consumer’s privacy preferences to all websites they visit without having to click on opt-out links one by one.
- The Attorney General has been quoted as saying, “My office is watching, and we will hold you accountable…There are no more excuses.”
- The CCPA’s notice and cure provision is expiring at the end of this year, which means that businesses must comply from the outset
- The American Data Privacy Bill, currently before Congress, may further alter the rules and, in future, these enforcement actions could not occur
- Interesting developments within the privacy sphere of the USA