And they’re off!
In September 2022, the first fine of the Californian Consumer Privacy Act (CCPA) was issued. Sephora, the cosmetics giant, were fined $1.2 million for three violations of the CCPA. This fine followed an official warning from the Californian Attorney General after Sephora were investigated as part of a spot-check by Californian data privacy authorities. This warning triggered the CCPA’s ‘notice and cure’ period, which gave Sephora 30 days to implement remedial actions to fix these violations. They failed to correct these violations and the Attorney General Rob Bonta was authorised to issue the first fine of the CCPA.
What is the CCPA?
The Californian Consumer Privacy Act (CCPA) is the United States’ first active comprehensive state data privacy law. Currently, the US does not have a federal data privacy law of this type in place. This means that it is up to individual states’ legislature to pass data privacy legislation. The CCPA took effect in 2020 and has been followed since by legislation passed in Virginia, Colorado, Utah, and Connecticut, although each of these are not set to take effect until 2023.
Central to the CCPA are the four rights that it provides to consumers:
- The right to know about the personal information a business collects about them and how it is used and shared; This is similar to the GDPR’s Right to be informed.
- The right to delete personal information collected from them (with some exceptions); This is similar to the GDPR’s Right to erasure.
- The right to opt-out of the sale of their personal information; This is similar to the GDPR’s Right to be object.
- The right to non-discrimination for exercising their CCPA rights.
The scope of the CCPA extends only to Californian residents, which the CCPA classifies ‘a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state’. It also only applies to business that do business in California and meet the following criteria:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information
The violations explained
The Attorney General alleged that Sephora had violated the CCPA on three fronts.
Firstly, Sephora did not inform their consumers that their personal data was being sold to third parties. Sephora had allowed third parties to create customer profiles using data collected from their website. These include details on their brand of laptop used to access the store, their purchases and interests, and other details including cookie data. This information was then used by these third parties to conduct targeted marketing. Sephora did not provide any information on this to their consumers; Indeed they had even expressly told customers that their data was not being sold! This was therefore a violation of the CCPA’s ‘Right to Know’ (similar to the GDPR’s Right to be Informed).
Sephora’s second violation related to their failure to provide a ‘do not sell my personal information’ option to their consumers. Under the CCPA, this constituted a violation of ‘the right to opt-out’.
Finally, Sephora also failed to refrain from the selling of personal information of users who had opted-out of this via user-enabled global privacy controls (GPCs). GPC’s are technical standards enabled on certain web browsers that are supposed to prevent websites from tracking and selling your data. These ‘do-not-sell’ switches are present on browsers such as Mozilla Firefox, Duck-Duck-Go, and Brave. Sephora is alleged to have ignored these mechanisms and sold the information of users who had activated GPC controls on their browsers.
Announcing the fine, Attorney General Bonta stated: “There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
Start as you mean to go on
For data subjects protected by the CCPA, this fine is a positive sign of both the intent and action of the legislation. Although Sephora are a well-known multinational brand with entities in the US and the EU (where the GDPR has been in effect since 2018), $1.2 million is not an insignificant amount. Unfortunately for the cosmetics company, Sephora is still in the crosshairs of the CCPA. Sephora and other retailers are fighting a lawsuit alleging they shared customer data without permission to determine shoppers’ likelihood of fraudulently returning product purchases.
The rhetoric of the Attorney General Bonta also reflected this intent, stating that ‘Today’s settlement with Sephora makes clear we will not hesitate to enforce the law… it’s time for companies to get the memo, protect consumer data, honor their privacy rights.”
The fine also signals the end of the grace period for Californian businesses that meet the criteria for CCPA regulation. This fine is a watershed moment for US data privacy – the first fine from the first comprehensive data privacy legislation.
It is unlikely to be the last.
For privacy advocates this first step is a crucial one. As more data privacy laws are passed throughout the States, the pressure on Federal government to pass widespread data protection measures is likely to increase. Finally, it would appear the US is beginning to catch up with their European and UK counterparts.