California Attorney General Bark Turns to Bite as First CCPA Settlement Includes Monetary Penalty
8 min read
In a long anticipated development, on August 24 California Attorney General Rob Bonta ("Cal AG") announced the state's first monetary penalty under the California Consumer Privacy Act ("CCPA"), in a settlement with the beauty products retailer Sephora USA, Inc. ("Sephora"). Under the settlement, Sephora will pay a US$1.2 million penalty and must implement measures to comply with the CCPA, including clearly disclosing on their website that they sell personal information to third parties, providing consumers with methods to opt out of the sale of personal information, and ensuring their contracts with service providers comply with CCPA requirements. Importantly, the penalty imposed by the Cal AG finally gives the CCPA some teeth in its efforts to enforce the CCPA's requirements, which should only grow sharper as business lose the right to automatically cure noncompliance on January 1, 2023, when the California Privacy Rights Act ("CPRA") goes into effect. As such, businesses should work to address any CCPA and CPRA compliance gaps before the buffer provided by the cure provision expires.
Sephora Action and Claims
While the Cal AG has been active in investigating companies since the CCPA became enforceable in July of 2022, until now it had yet to issue a penalty for noncompliance with the CCPA. The Cal AG's action against Sephora arose out of a broad California Department of Justice enforcement sweep of online retailers, begun in June 2021, which focused specifically on whether online retailers were recognizing and processing requests to opt out of selling personal information that individuals communicated with Global Privacy Controls ("GPC"). On June 25, 2021, the Cal AG notified Sephora that it may be in violation of the CCPA and directed the Company to cure the violations within the 30-day cure period. When the company allegedly did not cure the violations within 30 days, the Cal AG launched an investigation. Following its investigation, the Cal AG filed a complaint against Sephora on August 23, 2022 and entered into a settlement the next day.
The Cal AG further alleges that Sephora failed to facilitate consumers' right to opt-out of sales, where it did not provide a "Do Not Sell My Personal Information" link on its website nor in its mobile app, and because it failed to process users' opt-out preferences that were electronically communicated by GPC signals. With regard to GPC, the Cal AG specifically alleged that in their testing of Sephora's website the use of GPC did not result in any discernible effect on the browsing experience, leading them to conclude that the website was not processing GPC requests.
In addition, the Cal AG alleges in the complaint that Sephora "did not have valid service-provider contracts in place with each third party" advertising and analytics providers. This is significant because a business's sharing of personal information with a service provider is not considered a "sale" under the CCPA. In the absence of service provider contracts with these third party advertising and analytics providers, the Cal AG alleged that Sephora's disclosure of personal information to those third parties constituted a "sale."
The settlement was filed on August 24, 2022. The terms of the settlement provide insight on how the Cal AG will (and California Privacy Protection Agency might) structure future settlements covering noncompliance with the CCPA or CPRA. In many ways, the form of the settlement and relief resembles settlements issued by other regulators for alleged violations of data privacy requirements. In addition to the US$1.2 million monetary penalty, Sephora specifically agreed to:
- process consumer requests signaled from GPC to opt out of selling their personal information;
- implement and maintain a program to monitor processing of consumer opt-out requests;
- review entities with which it shares personal information and ensure it has the necessary service provider contracts in place; and
- for a period of two years, report annually to the Cal AG on its efforts to process consumer requests to opt-out of the sale of personal information, including through GPC, and on its relationships with service providers.
As we have previously described with regard to CCPA and CPRA compliance, depending on a business' current level of implementation, the necessary compliance obligations could range from a few updates to your existing data privacy compliance program to a more comprehensive implementation need. Several takeaways from the settlement are worth mentioning:
- Respect Consumer Use of Global Privacy Controls. As the Cal AG has emphasized for the past year, businesses must implement technology to recognize and accept consumer technology that permits consumers to universally opt-out of the sale of their personal information (Global Privacy Controls). Businesses must accept and process these Global Privacy Controls to have the same effect as a consumer's use of a "Do Not Sell My Personal Information" link;
- Third Party Tracking is a "Sale". The Cal AG has continued to broadly interpret the definition of "sale" to include a business permitting third parties to track consumers on their website. In its complaint against Sephora, the Cal AG claimed that Sephora sold personal information when it "gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits." As such, companies should be mindful of the Cal AG's stance on this issue when determining whether they sell personal information under the CCPA. Any benefit received from a third party that receives personal information from a business may be seen as a "sale" in the eyes of the Cal AG. If a "sale" is taking place, a business should offer legally compliant methods for California consumers to opt out. It is worth noting that this interpretation of "sale" under the CCPA is more clearly defined in the CRPA which identifies such tracking activity as "sharing" and imposes similar obligations on businesses;
- Service Provider Contracts Must Comply with CCPA Content Requirements. Arrangements with third parties who process personal information on behalf of a business should include written agreements that contain provisions limiting the third party's retention, use or disclosure of the personal information to the purpose of performing services. The absence of an agreement with such provisions creates a risk that the personal information provided or made available to third parties could be considered a sale under the CCPA. However, where such language is incorporated into relevant agreements, a business can take the position that the CCPA's service provider exception to a sale applies which relieves the business of obligations to facilitate a consumer request to opt-out of the sale of this personal information. Businesses should remain mindful that the CPRA will impose additional content and form requirements for service provider contracts when it takes effect on January 1, 2023; and
- CCPA Violations Can Occur During Each Website Visit. The Cal AG took the position in its complaint that Sephora violated the CCPA each time a California consumer visited the Sephora website while the company was not compliant with the CCPA's requirements. This had previously been an area of ambiguity under the CCPA. Under this approach, the Cal AG may claim significant damages during settlement negotiations with businesses who are accused of violating the CCPA.
The CCPA and upcoming CPRA compliance requirements encompass much more than those areas of noncompliance identified in the settlement here. With stiffer enforcement, less certain cure rights and the January 1, 2023 CPRA effective date looming, businesses would do well to evaluate compliance and address any gaps under California's data privacy laws.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2022 White & Case LLP