Sephora’s $1.2m CCPA settlement sends a ‘strong message’ to brands

“The alleged CCPA violations are somewhat technical in nature,” says Marci Rozen, data security attorney and legal director at DC-based firm ZwillGen. She says that Sephora “engaged in completely ordinary data sharing activities like using pixels and cookies for online behavioral advertising” and that the company disclosed these practices effectively in its privacy policy.

The allegations instead stem from Sephora’s failure to properly disclose that these activities constitute a ‘sale’ in the way that the term is defined under the CCPA, says Rozen. Under CCPA, a “sale” entails any kind of sharing or disclosure of personal information to a third party for monetary or other valuable consideration. The lawsuit alleges that Sephora provided user data to third parties via tracking technologies such as cookies and other tools that automatically share information, and that the company did not effectively explain these transactions as “sales” to users. The company also failed to offer users a means of opting out of these sales, which is legally required.

The attorney general notified the cosmetics seller on June 25 2021 of its possible noncompliance, but Sephora did not make the necessary changes to its website within the 30-day cure period required by CCPA. As a result, the retailer must now cough up close to $1.2m in fines.

In a press conference following the announcement, Bonta said: “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable ... There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Financial risks outweigh brand reputation risks

Although the settlement reflects poorly on Sephora, experts are skeptical that the news will shake consumers’ trust in the brand – largely because of the scope of the alleged infringements. “I don’t believe consumers track this type of news closely enough unless it puts them directly at risk, such as an unintentional data leak of credit card details – which we have seen cause significant reputational damage in the past,” says Brady Donnelly, managing director of marketing agency Sela and chief marketing officer at PCA Group. “I’d argue that a fair number [of consumers] assume this is happening already.”

And although Sephora’s brand reputation may not be on the line, the ears of other organizations may be perking up at the news.

“[This] should effectively put to rest any remaining perceived ambiguity ... [concerning] the opt-out of sale requirement as it relates to tracking,” says Arielle Garcia, chief privacy officer at ad agency UM Worldwide.

She suggests that organizations everywhere are under the gun to ensure the details of their privacy policies are compliant with data sales and opt-out requirements. “For brands that may have maintained a position that they ‘do not sell,’ this should serve as a catalyst to bring together privacy, legal, IT and marketing to ensure that advertising and marketing data use is fully contemplated in their CCPA approach.”

If not for the reputational risk, the financial risk alone is likely sufficient motivation to make any necessary changes, says Donnelly. Beyond violation fines, lawsuits such as Sephora’s often incur major legal fees. Plus, he says, “the cost of retroactively updating policies and digital infrastructure will be considerably more expensive than having built it properly from the start.”

There’s a data storm brewing

Other experts agree with Garcia’s implication that this is just the beginning of a far-reaching crackdown on CCPA compliance – and that organizations would do well to proactively prepare.

“The settlement sends a clear message that companies cannot wait until [the CCPA’s amendment law] the California Privacy Rights Act and its implementing regulations are in place before prioritizing compliance with California privacy law,“ says Keir Lamont, senior counsel at the Future of Privacy Forum, a Washington, DC-based think tank and data privacy advocacy group.

Broadly speaking, this is an especially high-pressure moment in the world of data privacy in the US. The country is readying for five new state-level privacy laws to go into effect within the next year – many of which include opt-out requirements for the processing of users’ personal information for targeted advertising purposes similar to those found in CCPA. Plus, each of these bills includes different protections, definitions of key terms and thresholds for applicability, creating a range of new challenges for businesses that collect or traffic in consumer data.

At the same time, Congress is inching closer than it’s come in decades to passing a comprehensive, federal-level privacy bill in the bipartisan American Data Privacy and Protection Act, and the US Federal Trade Commission this month announced new plans to crack down on data privacy.

“This is an inflection point,” says Rachel Pepple, vice-president of corporate marketing at cybersecurity firm ExtraHop. “We’re going to see more and stronger enforcement, whether it’s [the EU’s General Data Protection Regulation], CCPA or ADPPA moving forward. For organizations, truly understanding where their data lives and who has access under what circumstances will be critical.”

For more, sign up for The Drum’s daily US newsletter here.