On August 24, 2022, beauty products retailer was hit with a $1.2 million fine from the California Attorney General’s office. In addition, the company is required to make substantial changes to its privacy policies and programs and is subject to continuing oversight by the AG’s office for two years.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a 2018 law from the State of California that “gives consumers more control over the personal information that businesses collect about them.”
The highlights are the
- Right to know what information is collected.
- Right to delete personal information.
- Right to opt-out of the sale of personal information.
- Right of non-discrimination in exercising their rights.
Companies must also respect the consumer’s preference as indicated in browsers’ Global Privacy Controls.
These rights apply to California residents – people, not companies or other legal entities. The CCPA applies even when the resident is temporarily outside the state.
It applies to businesses that have annual revenue over $25 million, buy, receive, or sell personal information on more than 50,000 or more California residents, or derive more than 50% of annual revenue from selling personal information of California residents.
In most cases, there is no private right of action and the state Attorney General’s office is the sole means of enforcement. The major exception is if there is a data breach – then individuals can sue a company. However, violations are $2,500 per violation – each visitor from California is a violation, so that adds up quickly.
What did Sephora do to violate CCPA?
The California Attorney General alleged that Sephora, or third-parties that it gave permission to, installed tracking software on its website to monitor online shoppers.
The third-parties running the software did not pay Sephora for this data, but Sephora did receive analytics regarding website visitors and advertising retargeting services.
Using the law’s broad definition of “the exchange of personal information for anything of value,” the AG began enforcement action against Sephora.
Specifically:
(1) Sephora’s online privacy policy falsely stated “we do not sell personal information” despite the value it received for using Adtech software;
(2) Sephora failed to include the required “Do Not Sell My Personal Information” link on its homepage; and
(3) Sephora failed to respond to consumer requests to opt out of such sales via Global Privacy Controls (GPC), which are browser signals that users can set once to inform all websites that they do not want their information sold.
Re-Targeting Ads
The complaint against Sephora specifically called out the re-targeting ads.
“[I]f companies make consumer personal information available to third parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be “selling” consumer personal information under the law.”
Many companies may have thought because they were not being paid or paying for this service that the transfer was not considered a sale. But under CCPA, the definition of sale is very broad.
Your privacy policy should consider how you are treating data, particularly when that data exits your internal company and goes to any third-party provider.
What does this mean for your business?
First, it is important to determine whether the CCPA applies to your business. Do you have more than $25 million in revenue or 50,000 annual California consumers to your business/website?
Second, privacy policies are important. What is inside those privacy policies is important. You need to be very clear on what is a “sale” of information. So if you use re-targeting ads, for example, that is considered a sale of information. You should reevaluate the privacy policy, to ensure that it says what you think it says. And update sections that may no longer be accurate, as you’ve deployed additional technologies, such as ad re-targeting.
Third, you need a way for your users to opt-out of the sale of their data. This should include two things – a “Do Not Sell” page and by respecting the GPC on browsers or extensions. The California AG made it clear that they will be enforcing the law for not having these controls, especially for the opt-out requirements.
Fourth, pay attention to those notices from government entities. Sephora had an easy way to avoid a $1.2 million fine – curing these deficiencies within 30 days. They could have implemented these changes, the ones that they have to now do anyways and avoided the fine if they had only opened their mail and taken appropriate action.