SACRAMENTO, Calif. (CN) — Retail cosmetics giant Sephora will have to pay $1.2 million for selling consumers’ personal information and failing to process opt-out requests in violation of the landmark California Consumer Privacy Act.
“We found Sephora's actions unacceptable. Sephora failed to disclose to consumers that it was selling their personal information by making this information available to online third-party trackers in exchange for benefits like targeted advertising and discounted analytics,” California Attorney General Rob Bonta announced at a Wednesday morning press conference.
Sephora also failed to process opt-out requests made through global privacy control — a browser extension that automatically signals a consumer’s privacy preferences to all websites they visit without having to click on opt-out links one by one.
Under the settlement, Sephora must let customers know that it sells their data and give them a way to opt out.
A spokesperson for the company said in an email that Sephora uses "strictly for Sephora experiences” and that the CCPA does not define the word “sale” in its traditional sense, but also uses it to describe the common practice of using cookies, “which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.” The spokesperson said consumers can currently opt-out by clicking the “CA – Do Not Sell My Personal Information” link at the bottom of Sephora’s website.
“We have always cooperated fully with the Office of the Attorney General and Sephora’s practices are already in compliance with the CCPA. We respect the perspective and guidance provided by the OAG and understand the importance of the continually evolving requirements around consumer privacy,” they said.
Bonta said his office also sent notice and cure letters to more than 100 other businesses, giving them 30 days to correct their privacy violations.
“It's time for companies to get the memo: Protect consumer data. Honor their privacy rights,” he said. “The kid gloves are coming off. My office will not hesitate to protect consumers.”
The majority of businesses who receive such letters change their behavior within 30 days, Bonta said. “In Sephora’s case, they violated the law and they failed to cure the violation after receiving notice. They were not notifying their customers that they were collecting information, denying that they were selling it, and when they had an opportunity to cure the violation once we pointed it out, they failed to do so. Their actions compared to others was egregious.”
But the CCPA’s notice and cure provision is expiring at the end of this year, Bonta said. “There will no longer be that 30-day cure period so businesses are going to have to comply from the outset and not wait for a notice from the Department of Justice.”
It also comes as Congress considers a nationwide privacy bill that state officials fear would undermine California’s more robust consumer privacy protections.
“I believe that others outside of California deserve the protections that we have here. They may not get that level through the federal legislation, but they could get some strong privacy protections that are not currently in place,” Bonta said. “Again, those should be a floor and they should not preempt the exceptional privacy protections in place here in California.”
Bonta said he hopes that the final version of the American Data Privacy and Protection Act will contain a provision allowing consumers to automatically opt out of tracking, or at least allow California to retain its own opt-out provision and other protections that exceed those that may be provided under the federal law.
Otherwise, Wednesday's enforcement action against Sephora could not occur in California in the future.
“What we are trying to avoid is a scenario where the protections in the federal legislation are weaker than the protections in place currently in California,” he said. "That's what we have articulated repeatedly, clearly, and loudly to Congress."
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.