California Attorney General Rob Bonta has announced a settlement with the beauty brand Sephora over allegations that the company has violated California’s landmark privacy law, the California Consumer Privacy Act (CCPA).

According to Bonta, it was determined after an enforcement sweep that Sephora failed to disclose to customers that the company was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of CCPA, and that it did not remediate these violations within the 30-day window allowed by CCPA.

Sephora’s settlement has led to many questions about the enforcement of CCPA and the kinds of repercussions other companies may face in the future as its guidelines begin to be taken more seriously. 

“All public information suggests that this was a non-targeted enforcement sweep,” said Yotam Segev, co-founder and CEO of the cloud-native data security company, Cyera. “However, as a multinational retailer of personal care and beauty products with nearly 340 brands, an enforcement action against Sephora sends a strong signal to other eCommerce, lifestyle, luxury, and social media brands that compliance with CCPA is not something they can put off any longer.  This is a two-year-old rule, and with the more restrictive California Privacy Rights Act looming in 2023, security teams have been put on notice that their window to comply is shrinking fast.”

This settlement required Sephora to pay $1.2 million in penalties as well as comply with several injunctive items, among them:

  • including clarifying its online disclosures and privacy policy, 
  • offering ways for consumers to opt out of the sale of personal information, 
  • conforming its service provider agreements to CCPA’s requirements, and 
  • providing reports to the Attorney General relating to its sale of personal information.

According to Segev, consumers should be able to place their trust in brands and that is why CCPA exists. “It’s just one enforcement mechanism designed to help brands feel a sense of urgency to protect their customers’ right to privacy,” he said.

Segev went on to say that although some rhetoric around CCPA suggests that the definition of selling data may be too vague, consumers should always be able to feel confident that their data is safe with the companies they entrust it to. 

In order to cultivate this confidence between consumer and company, Bonta has sent notices to several other businesses alleging non-compliance due to their failure to take customer opt-out requests made via user-enabled global privacy controls into consideration. 

Sephora’s settlement along with these notices being doled out to other companies may leave businesses feeling a heightened sense of urgency to ensure they are complying with regulations such as CCPA to the fullest extent. 

“I believe that businesses and their security teams are under incredible pressure and strain to act correctly and comprehensively in the face of increasingly stringent regulations,” said Segev.  “The technologies that created these data protection issues are decades in the making. From the first days of Google and, to the rise of social sharing and the concentration of customer identity data with a few major providers, understanding what data a company has, where it is managed, how it is secured, and who is accessing it are very challenging problems to solve. Enforcement actions like this will create a greater sense of urgency, but also a considerable prioritization and management challenge.”

To read more about Sephora’s settlement, click here