On August 24, 2022, the California Office of the Attorney General (“OAG”) announced a $1.2 million settlement with the cosmetics retailer Sephora, Inc. for violations of the California Consumer Privacy Act (“CCPA”) and California’s Unfair Competition Law (“UCL”). The OAG alleges in a complaint that Sephora falsely stated in its privacy policy that it did not sell personal information about California residents to third parties and ignored web signals transmitting users’ opt-out requests. The announcement marks the first public enforcement action of the CCPA by the OAG in the first two-and-a-half years since the law took effect. The OAG also announced that it had sent notices to a number of businesses alleging similar violations of the CCPA.
The OAG’s allegations center on Sephora’s sale of consumer personal information to third parties and its failure to properly address consumers’ opt-out requests. The complaint provides valuable insight into the OAG’s enforcement priorities, investigatory processes, its interpretation of arguably ambiguous provisions of the CCPA, and its appetite for penalties. This article provides some important lessons for businesses to learn following this historic enforcement action.
A Sale Is More Than Just A Quid Pro Quo
The OAG made clear that disclosing personal information to third parties in exchange for services is a sale. In the complaint, the OAG alleges Sephora disclosed personal information about its website visitors to advertising networks, business partners, and data analytics providers in exchange for valuable consideration, i.e., free or discounted analytics and advertising benefits. Notably, the OAG concluded that the exchange of personal information for analytics and advertising each constitutes a sale under the CCPA. It is possible that Sephora did not consider either of these disclosures to be a “sale.” The OAG points out the Sephora’s 2021 privacy policy admitted to sharing personal information, including geolocation and network information, with advertising networks and data analytics providers. Despite this, Sephora affirmatively represented that it did not sell personal information and did not post a “Do Not Sell My Personal Information” link required for businesses who sell personal information.
Some have argued that CCPA’s definition of “sale” requires there to be a quid pro quo exchange of money or other valuable consideration specifically in exchange for personal information. With respect to Sephora, the OAG concluded that “[b]oth the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA.” Based on this, companies should reconsider narrow interpretations of the sale definition.
Service Provider Agreements are Necessary to Avoid Selling
The OAG alleges Sephora was not able to enjoy the service-provider exception with respect to its analytics and advertising vendor because it did not have a “valid” service-provider contracts with them. The CCPA states that sharing personal information with a service provider for business purposes is not a sale. However, whether an entity is a service provider depends on if it has a valid service provider contract which imposes stringent use limitations on the service provider.
It is unclear from the allegations whether Sephora failed to have the proper terms in its contract with its analytics and advertising vendors, or whether it failed to have an agreement at all. Some analytics and advertising service providers make it rather difficult to determine whether CCPA compliant contract terms apply. For example, Google Analytics’ CCPA Service Provider terms apply solely to the extent the customer enables the Restricted Data Processing functionality within the Google services that offer such functionality. While the complaint does not indicate whether or not Sephora used Google Analytics (in fact, it alleges Sephora used several advertising and analytics services), the OAG appears to have rejected the validity of each of them with respect to applying the service provider exemption. Businesses should closely review both their contract terms and their services settings with experienced privacy counsel to ensure that service provider contracts are valid.
CCPA Violations Are Easy to Spot
The OAG has taken a proactive approach to CCPA enforcement by conducting “enforcement sweeps” of online properties. Per the complaint, the OAG commenced an investigation of large retailers, including Sephora, in June 2021 to identify violations of the CCPA’s opt-out requirements. As part of the enforcement sweep, the OAG used commercially available browser extensions to monitor network traffic involving third-party advertising and analytics providers. Once potential violations were identified, the OAG conducted additional testing to confirm such violations and identify others. For example, once the OAG confirmed that Sephora failed to honor the Global Privacy Control (discussed in more detail below) it reviewed Sephora’s privacy notices and found additional CCPA violations, including the failure to notify consumers about the categories of personal information being sold and the lack of a “Do Not Sell My Personal Information” link. The OAGs proactive approach to search for CCPA violations should be a warning to any CCPA covered business to ensure that it is outwardly compliant.
Websites Must Respond to the Global Privacy Control.
The complaint against Sephora affirms that the OAG considers the Global Privacy Control (“GPC”) to be a valid method by which consumers may submit requests to opt-out of the sale of their personal information. The GPC is specification developed by various industry organizations to serve as a standard signal to communicate, among other things, a Do Not Sell request pursuant to the CCPA. The CCPA and its implementing regulations have always required businesses to respond to user-enabled global privacy controls, but there has been a question of whether businesses were permitted to wait for official adoption or approval of one signal or another before being required to honor it. However, in January 2021 Attorney General Xavier Becerra tweeted that the GPC satisfied the legal requirements under the CCPA and would be considered a valid universal opt-out request signal. In addition, the OAG published responses to CCPA frequently asked questions which confirmed that the GPC was a recognized user-enabled global privacy control. Despite that, many businesses, apparently including Sephora, failed to take action to respond to the GPC.
According to the compliant, the OAG’s investigation consisted of analyzing how Sephora’s network traffic changed when the GPC’s “Do Not Sell” signal was sent. In its notice to cure letter to Sephora, the OAG identified the failure to respond to or process consumer opt-outs via the GPC as a CCPA violation. Businesses should ensure that they honor the Global Privacy Signal.
Violations of the CCPA May Violate California’s Unfair Competition Law
In addition to a cause of action for direct violation of the CCPA, the OAG asserts a second cause of action for violation of the UCL. While the CCPA explicitly states that it may not be the basis for any private right of action under any other law, no such limitation exists for governmental enforcement. In fact, the statute is to be construed to harmonize with other consumer protection laws like the UCL. In that context, the OAG asserted violations for both the CCPA and the UCL, which enabled it to seek forms of relief, like restitution, not expressly permitted by the CCPA. Businesses should be aware of the multiple avenues afforded to the OAG with respect to enforcement.
The OAG Will Continue to Enforce the CCPA
Since the passage of the California Privacy Rights Act amendments to the CCPA many have wondered whether the OAG would hand over enforcement of the CCPA to the nascent California Privacy Protection Agency (“CPPA”). Though one could argue the Sephora settlement is a product of the OAG’s early enforcement efforts, the fact that it announced a new investigative sweep should signal to all that the OAG will continue to be a player in the California privacy ecosystem. Businesses are likely to see administrative actions and investigations by the CPPA in addition to civil actions and investigations by the OAG.
The First Settlement Under the CCPA Is Significant
Announcement of the enforcement action and settlement is significant marker of the end of the CCPA grace-period. Attorney General Bonta stated in his office’s press release “It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.” Businesses have been warned that the era of non-enforcement if over.
The settlement also provides insight into the remedies sought by the OAG. In the settlement, Sephora agreed to providing the requisites notices to consumers and honoring the GPC. In addition, Sephora agreed to a 2-year CCPA compliance program with reporting to the OAG. As part of this program, Sephora must review and report on:
- The effectiveness of its opt-out requests mechanisms, including GPC response;
- The entities with which it makes available personal information through its websites and apps. Sephora must identify each entity, describe the purposes for making available such information, and disclose whether Sephora classifies them as service providers.
- Document all service provider agreements and ensure that it has properly enabled all functionality to ensure restricted data processing.
It is not clear how the OAG and Sephora arrived at the $1.2 million settlement amount, and there is no indication of the number of consumers potentially impacted by Sephora’s alleged violations, but the penalty amount is substantial considering that the sum represents more than 20 percent of the initial $5 million appropriation for the CPPA. The penalty will be deposited into the Consumer Privacy Fund which will be used to offset the OAG’s and state court’s costs in connection with CCPA enforcement. Ultimately, the settlement represents a significant but measured approach to CCPA enforcement. Businesses should continue to monitor enforcement actions to learn more about the OAG’s enforcement practices.
Conclusion
The OAG’s announcement is impactful to all California businesses and kicks off a new era in privacy enforcement. Privacy compliance will continue to be challenging and constantly changing area of the law, so businesses should consult with competent counsel to ensure they maintain compliance.
Michael Hellbusch is a Partner at Rutan & Tucker and chairs the firm’s Data Privacy and Protection practice group. He is a member of the California Lawyers Association Privacy Section Executive Committee. He is certified by the International Association of Privacy Professionals (IAPP) in US and European privacy laws (CIPP/US, CIPP/E) and is a Certified Information Privacy Manager (CIPM).