Sephora Fined $1.2M Under CCPA

In order to settle complaints from the California Attorney General that the cosmetics company had broken the state's consumer privacy legislation, Sephora USA Inc. has agreed to pay $1.2 million.

Privacy rights are being safeguarded by the Attorney General's most recent action against Sephora. It's not only about conventional data brokering: If handled carelessly, any personal information gathered by online monitoring tools may breach the CCPA's Do Not Sell compliance rules.

The AG is speaking out and declaring that it is no longer acceptable for businesses to freely utilize people's data for financial advantage – without providing them with a way to opt-out. Customers should be informed that when website owners employ free or heavily subsidized analytics and advertising services, their data is being "sold." To stop this type of data-for-value exchange, they need to be provided explicit information and a choice. The AG has conducted many sweeps, including this one. Before the CPRA takes effect in 2023, further penalties should be announced during the upcoming months.

In this guide, we’ll take a look at the case against Sephora and why business owners need to start working on their CCPA compliance now before the regulations go into effect next year.

Sephora’s $1.2 Million Privacy Violation

Attorney General Rob Bonta's office released a statement in August claiming that Sephora failed to inform customers that the business sells personal information gathered on its website and did not honor requests to opt-out of sales made through user-configured privacy measures.

The agreement is the first public enforcement action under the California Consumer Privacy Act, and it requires the cosmetics company Sephora to abide by its terms. Court permission is required for the agreement.

In a statement, Sephora said that it has worked with the attorney general's office and that its business procedures are in in compliance with the CCPA. The business has stated that it is crucial to remember that Sephora only utilizes data for Sephora experiences. The business claimed that as part of the California agreement, it did not accept culpability.

According to Bonta's complaint, which his office made public on Wednesday, the corporation let third parties track information including users' geolocation and the goods in an online shopping cart in return for targeted adverts and analytics services.

What does this recent occurrence mean for typical company owners, then? The deal between Sephora and the AG's office, in the Attorney General's opinion, sends a clear message to companies who continue to disregard California's consumer privacy statute. As such, it’s more important than ever for organizations to begin improving their data privacy processes to become compliant with the CCPA.

Understanding Your Legal Obligation as a Business Owner Under CCPA

What is the CCPA and CPRA?

A state-wide data privacy legislation known as the California Consumer Privacy Act (CCPA) governs how companies from all over the globe are permitted to handle the personal information (PI) of California citizens. The CCPA went into force on January 1st, 2020. It is the country's first statute of its sort.

Businesses should be concerned about the CPRA, an extension of the CCPA. The California Privacy Rights Act (or CPRA) adds certain additional privacy protections while also extending the rights given to Californians under the CCPA. On January 1st, 2023, the CRPA will go into force.

The CCPA has been updated by the CPRA in the following ways:

• The option to refuse to share personal data or “opt-out.” The term "sharing" refers to the act of a business providing a third party with a consumer's personal information for cross-context behavioural advertising, whether or not in exchange for money or other meaningful consideration. In essence, this is talking about interest-based advertising.
• The option to refuse certain uses and disclosures of sensitive personal information, which is defined as information about a consumer that can be used to identify them, such as a consumer's Social Security number, state identification number, driver's license number, or passport number, or a consumer's account login, bank account, debit card, or credit card number in conjunction with a security code, password, or other credentials.
• The right to have false personal data corrected.
• The right to more information about a company's information practices, including data retention policies.
• New rights in relation to the use of technology-assisted decision-making, including profiling.

Similar to the CCPA, the CPRA is applicable to for-profit organizations conducting business in California that also gather personal data from residents of California and fulfill other requirements. Noting that the CPRA has amended these threshold standards, it will be crucial for businesses to determine whether they meet the new thresholds, which include:

• The business's gross revenue in the year before was more than $25 million.
• The business purchases, sells, or distributes the personal data of at least 100,000 customers or households.
• The corporation gets at least 50% of its yearly income from the sale or exchange of customer data.
• The company shall be regarded as a business under the CPRA if any of the aforementioned requirements are met.

The CPRA also places new demands on businesses, such as the need to pass deletion requests not only to service providers but also to contractors and other third parties with whom the businesses have shared or sold information, as well as requirements for data minimization, retention, and purpose limitation. Additional clauses that must be included by enterprises in their agreements with service providers, contractors, and other third parties are also required by law. Increased auditing requirements, such as yearly cybersecurity audits and frequent risk assessments sent to the new enforcement agency, are anticipated to result from regulations adopted under the bill. The CPRA also explains how the anti-discrimination sections of the legislation affect loyalty programs and push back the CCPA's sunset clauses for the employee exemption and business-to-business exception until January 1, 2023.

The CPRA increases fines for offenses involving kids under the age of 16 and strengthens enforcement by eliminating the CCPA's current mandated 30-day cure time for enterprises. Additionally, the legislation broadens the categories of data breaches that are covered by the data breach private right of action to include data breaches involving a username, email address, and a password or security question and answer that would allow access to an online account.

Only infractions that happen on or after July 1st, 2023 will be subject to the CPRA's enforcement. Businesses must maintain flexibility in order to adapt their compliance practices in light of continuing regulation action.

What Should Businesses Do to Stay Compliant?

Without a system in place to monitor and comply with opt-out requests like "Do Not Sell," your business runs the danger of being held financially liable as well as losing the trust of customers, which will result in a reduction in sales.

Fortunately, maintaining CCPA and CPRA compliance is not too challenging. Simply audit your current compliance procedures, then put the following suggestions into practice: 

• Create a sensitive and/or PII data inventory and map and keep it up to date.
• Create a procedure for erasing customer data to abide by the CPRA's right to be forgotten.
• Make sure that your privacy warnings and practices for protecting personal information are compliant with the CPRA. Deliver the necessary CPRA notifications, including the opt-out and opt-in options.
• If you sell or share customer information, make sure your website has a "Do Not Sell or share My Personal Information" option so that customers may choose not to have their information sold or shared.
• Make sure a link to the "Do Not Sell My Personal Information" page is included in your privacy policy.
• Give customers the option to restrict the use or disclosure of their sensitive personal information to only those allowed uses by providing a link labelled "Limit the Use of My Sensitive Personal Information."
• Examine contracts with suppliers, customers, and employees and revise them as appropriate to address the handling of personal information.
• Make a plan for how to identify, confirm, and handle consumer requests for access to or deletion of personal information that can be verified. Make sure you are able to react to customer requests for free access to their personal data within 45 days through phone or email. Additionally, you will have to make customer data available in an accessible way upon request. There should be written instructions for this procedure, along with a toll-free number and internet URL.

Furthermore, businesses that deal with a significant amount of personal consumer data could benefit from a third-party platform like Data Sentinel to help automate their data trust processes. Data Sentinel’s platform can help your organization reduce sensitive data risks, comply with the CCPA and CPRA (as well as other relevant data regulations), manage overall data governance and data quality, and fix existing data roadblocks. Managing data and staying compliant can often be a challenge for organizations that deal with large data holdings, but platforms like Data Sentinel can make managing that data and staying compliant as efficient as possible.

‍