A Lesson in CCPA Compliance: The Sephora Story

The case against Sephora

In June 2021, the California Office of the Attorney General (OAG) started an enforcement sweep of large retailers. The audit was to determine whether the retailers continued to sell consumers' personal information when the consumer signaled an opt-out via the Global Privacy Control (GPC).

Here is a quick definition of what GPC is:

The GPC is a browser-level signal that allows internet users to instantly notify all websites of their desire to opt out of having their personal information shared or sold. Implementing this signal allows a user to share their privacy preferences without having to manually decline consent on each website they visit.

By the way, if you wish to transmit a Global Privacy Control signal from your browser, this page gives you a list of clients and extensions which enable you to do so.

Recognizing GPC has been a mandatory component of the CCPA compliance terms since they came into effect in January 2020. Yet, the AG's investigation discovered that on the Sephora site, activating the GPC signal had no effect, and consumer data continued to flow to third-party companies. These parties included advertising and analytic providers.

This was in spite of the fact that Sephora had a statement on its website declaring that “we do not sell personal information.” Oops.

To make matters worse, Sephora also failed to provide consumers with an easy-to-find “Do Not Sell My Personal Information” link, either on its website or in its mobile app.

The third offense in non-CCPA compliance, came after the Attorney General had notified Sephora of the violations. The retailer failed to rectify any of the violations within the CCPA's stipulated 30-day time frame, and that is what led to the enforcement action.

What type of data was Sephora collecting?

Sephora's third parties were able to track all types of data, from the type of device a consumer was using to connect to the website or mobile app to the brand of lipstick a consumer put in their shopping cart. It also included the precise location of the consumer.

The AG's complaint also raised concerns about other sensitive data. Consumer's visiting Sephora's website can also browse and purchase products such as prenatal and menopause support vitamins— data points that can be used to make assumptions about women's health conditions. In light of the overturning of Roe vs Wade, this can have serious implications.

All of the above are considered “personal information” as per CCPA. But the real issue that led to the CCPA fine was that Sephora was sharing these details without informing consumers or giving them the option to control that data.

But, was Sephora “selling” the data?

Kind of. Not really. But also, yes. Clear as mud, right? The reason for the confusion is down to how loosely written the CCPA compliance regulations are. The term “sale” was never really explained in great detail. But at least now, with this first enforcement, the OAG has given us more to go on.

Basically, it all comes down to the difference between a third party and a service provider.

Under CCPA, a service provider is a company that performs services on behalf of a business using the personal information that the business provides.

A service provider might be:

• Email marketing companies
• Customer Relationship Management (CRM) providers
• Payment processors
• Analytics service providers

The thing is, third parties can also be these types of companies providing the same services. The difference is a “service provider” is bound by a contract that includes terms ensuring strict adherence to CCPA compliance standards. Therefore, sharing personal data with a service provider doesn't count as "selling". Sharing it with a third party, with no such contract, however, does.

The third parties in Sephora's case were technically “service providers”, they received the data in exchange for advertising and analytic services.

BUT they didn't have a “service provider” contract in place.

This mistake is what led the AG to take the stance that Sephora had “sold” the information and therefore levy the CCPA fines against them.

What are the consequences for Sephora?

In addition to the payment of the $1.2 million CCPA fines, Sephora will be under close CCPA scrutiny for the foreseeable future. First of all, it has to correct the violations by clarifying its online privacy policy to give a clear indication that it sells personal data and provides an easy-to-find opt-out, and honors any GPC signals.

Sephora will have to conduct annual reviews of its websites and mobile apps to avoid CCPA compliance violations in the future, and provide reports on those reviews to the state of California. These reports must also include a list of entities Sephora shares its consumer data with.

What have we learned from Sephora's CCPA fines?

It could be argued that in Sephora's eyes, it was sharing data with a service provider, so when it stated on its website that it didn't “sell” customers' data, it believed it to be true.

The same goes for the opt-out. They didn't believe they needed the opt-out option for data sales, because, to them, they weren't selling.

But of course, as in any court of law, ignorance is not a great defense strategy. And it still doesn't account for them not rectifying the situation within the 30 days' notice to avoid the CCPA fines.

So, what can we take away from this case?

• That GPC signals most definitely constitute an opt-out.
• That ��sale” of data isn't limited to a financial sale but also includes sharing data in exchange for services.
• If you are using service providers, you should have contracts in place for each one.
• Oh, and make sure you comply with the CCPA regulations, namely, telling your consumers you're collecting data AND providing them with a clear opt-out option.

What about the consumers?

Of course, cases like this don't do much to soothe the minds of the privacy-concerned consumer. It's disconcerting to say the least when huge retailers fail in CCPA compliance, have misleading privacy policies, and don't give you the option to control your own data.

But you don't have to wait for regulating bodies or law enforcement to hand out hefty CCPA fines to make things “better”. You can take your data into your own hands by adopting the use of multiple privacy tools like privacy-focused browsers, ad blocking, and VPNs and take back control of your data from companies like Sephora.

Check out The Biggest GDPR Fines EVER...(so far).