Data & Privacy Data Data Protection

Sephora’s $1.2m CCPA settlement sends a ‘strong message’ to brands


By Kendra Barnett, Associate Editor

August 29, 2022 | 8 min read

California is making an example of cosmetics retailer Sephora. It’s just the start.


The California Attorney General’s office is cracking down on CCPA violations – beginning with Sephora / Tingey Injury Law Firm

In the first enforcement action of the California Consumer Privacy Act (CCPA) – the US’s most sweeping state-level consumer data protection law – the state’s attorney general Rob Bonta last week announced that it’s settled a $1.2m lawsuit with beauty retailer Sephora over alleged violations. CCPA went into effect in January of 2020.

“The alleged CCPA violations are somewhat technical in nature,” says Marci Rozen, data security attorney and legal director at DC-based firm ZwillGen. She says that Sephora “engaged in completely ordinary data sharing activities like using pixels and cookies for online behavioral advertising” and that the company disclosed these practices effectively in its privacy policy.

The allegations instead stem from Sephora’s failure to properly disclose that these activities constitute a ‘sale’ in the way that the term is defined under the CCPA, says Rozen. Under CCPA, a “sale” entails any kind of sharing or disclosure of personal information to a third party for monetary or other valuable consideration. The lawsuit alleges that Sephora provided user data to third parties via tracking technologies such as cookies and other tools that automatically share information, and that the company did not effectively explain these transactions as “sales” to users. The company also failed to offer users a means of opting out of these sales, which is legally required.

The attorney general notified the cosmetics seller on June 25 2021 of its possible noncompliance, but Sephora did not make the necessary changes to its website within the 30-day cure period required by CCPA. As a result, the retailer must now cough up close to $1.2m in fines.

In a press conference following the announcement, Bonta said: “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable ... There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Financial risks outweigh brand reputation risks

Although the settlement reflects poorly on Sephora, experts are skeptical that the news will shake consumers’ trust in the brand – largely because of the scope of the alleged infringements. “I don’t believe consumers track this type of news closely enough unless it puts them directly at risk, such as an unintentional data leak of credit card details – which we have seen cause significant reputational damage in the past,” says Brady Donnelly, managing director of marketing agency Sela and chief marketing officer at PCA Group. “I’d argue that a fair number [of consumers] assume this is happening already.”

And although Sephora’s brand reputation may not be on the line, the ears of other organizations may be perking up at the news.

“[This] should effectively put to rest any remaining perceived ambiguity ... [concerning] the opt-out of sale requirement as it relates to tracking,” says Arielle Garcia, chief privacy officer at ad agency UM Worldwide.

She suggests that organizations everywhere are under the gun to ensure the details of their privacy policies are compliant with data sales and opt-out requirements. “For brands that may have maintained a position that they ‘do not sell,’ this should serve as a catalyst to bring together privacy, legal, IT and marketing to ensure that advertising and marketing data use is fully contemplated in their CCPA approach.”

If not for the reputational risk, the financial risk alone is likely sufficient motivation to make any necessary changes, says Donnelly. Beyond violation fines, lawsuits such as Sephora’s often incur major legal fees. Plus, he says, “the cost of retroactively updating policies and digital infrastructure will be considerably more expensive than having built it properly from the start.”

Suggested newsletters for you

Daily Briefing


Catch up on the most important stories of the day, curated by our editorial team.

Ads of the Week


See the best ads of the last week - all in one place.

The Drum Insider

Once a month

Learn how to pitch to our editors and get published on The Drum.

There’s a data storm brewing

Other experts agree with Garcia’s implication that this is just the beginning of a far-reaching crackdown on CCPA compliance – and that organizations would do well to proactively prepare.

“The settlement sends a clear message that companies cannot wait until [the CCPA’s amendment law] the California Privacy Rights Act and its implementing regulations are in place before prioritizing compliance with California privacy law,“ says Keir Lamont, senior counsel at the Future of Privacy Forum, a Washington, DC-based think tank and data privacy advocacy group.

Broadly speaking, this is an especially high-pressure moment in the world of data privacy in the US. The country is readying for five new state-level privacy laws to go into effect within the next year – many of which include opt-out requirements for the processing of users’ personal information for targeted advertising purposes similar to those found in CCPA. Plus, each of these bills includes different protections, definitions of key terms and thresholds for applicability, creating a range of new challenges for businesses that collect or traffic in consumer data.

At the same time, Congress is inching closer than it’s come in decades to passing a comprehensive, federal-level privacy bill in the bipartisan American Data Privacy and Protection Act, and the US Federal Trade Commission this month announced new plans to crack down on data privacy.

“This is an inflection point,” says Rachel Pepple, vice-president of corporate marketing at cybersecurity firm ExtraHop. “We’re going to see more and stronger enforcement, whether it’s [the EU’s General Data Protection Regulation], CCPA or ADPPA moving forward. For organizations, truly understanding where their data lives and who has access under what circumstances will be critical.”

For more, sign up for The Drum’s daily US newsletter here.

Data & Privacy Data Data Protection

More from Data & Privacy

View all


Industry insights

View all
Add your own content +