For many businesses, CCPA compliance (California Consumer Privacy Act) has been looming on the back burner for a couple of years. Although the law went into effect on January 1, 2020, companies of all sizes are still struggling to become compliant.

And who can blame them? Complying with today’s privacy laws can be complex, expensive, and stressful—but it’s also increasingly essential.

If you’re still not convinced it’s time to get in line with CCPA compliance, California’s Attorney General (and the California Privacy Protection Agency) may make an example out of you.

Don’t believe us? Ask Sephora.

Sephora’s data privacy blunder

California enforced its privacy law for the first time in August 2022, fining beauty retailer Sephora $1.2 million in penalties for failing to comply with the terms of the CCPA. By filing the complaint against Sephora, the California Office of the Attorney General has now done what Sephora failed to do: inform consumers that the company sells their personal data (like their location or the products in their online shopping cart). The cat is out of the bag.

As part of the settlement, Sephora must also comply with the terms of CCPA, including:

  • Adding a statement to their online disclosures and privacy policy to make it clear that they sell personal information.
  • Giving consumers the chance to opt out of the sale of personal information.
  • Adjusting its service provider agreements to comply with the CCPA.
  • Giving the Attorney General reports about the sale of personal information, relationships with service providers, and status regarding implementing the Global Privacy Control (GPC), a tool that transmits universal opt-out signals to online retailers.

Where did Sephora go wrong?

According to California’s Attorney General, the Sephora case was part of an enforcement sweep of many high-profile retailers doing business in the state. Plenty of companies received warnings from the Attorney General about compliance issues, but Sephora was the only retailer that failed to make adjustments to comply with new privacy regulations. (Something to keep an eye on: some other companies made adjustments that may yet be deemed insufficient.)

The Attorney General detailed the case against Sephora in a civil complaint, seeking to enjoin Sephora from continuing its data collection practices. According to that complaint, the Sephora website continued to collect and sell personal information to third parties (like advertisers and analytics providers), even when consumers activated the GPC opt-out signal. (Whoopsies!)

The Attorney General alleged that the Sephora website was never configured to detect or process global privacy control signals like GPC. The complaint also said that when consumers browsed Sephora products online, the company collected information like cookies, user identifiers, information about their operating systems, and more.

Sephora allegedly installed third-party trackers that automatically passed on personal information to advertisers and other business partners. This setup gave them access to discounted, high-quality analytics about consumer activity on their website—yet their website visitors never knew, and some of them thought they had successfully opted out of that kind of information sharing.

What can we learn from Sephora?

Whew. So what can businesses learn from the Sephora vs. California Attorney General debacle?

To start, the incident highlights the need for all companies to be more transparent about how personal data is being used—and when third-party trackers are installed on their website or apps.

Another lesson: Under the CCPA, the sale of personal data goes well beyond an actual “sale.” In Sephora’s case, it was more of a “trading” situation, in which the retailer gave third parties access to consumer data in exchange for analytics and reports. But California’s law considers exchanging personal information for anything of value, not just for money, to be a sale. So the Attorney General took a hard look at Sephora’s setup and said, “Same difference to us.”

Ultimately, companies need to realize that their compliance documents and practices are under a higher level of scrutiny than ever before. Businesses that want to avoid the fate of Sephora need to take action by:

  • Assessing whether their cookies could be considered a form of selling or sharing consumer data.
  • Making sure privacy notices are completely transparent.
  • Ensuring that opt-out mechanisms allow consumers to exercise their opt-out rights.
  • Aligning all privacy practices with the obligations of the CCPA and the California Privacy Rights Act (CPRA), which significantly amends the CCPA and goes into effect January 1, 2023.

Stay compliant with SixFifty

Are you overwhelmed by California privacy compliance requirements? If so, we have some good news. SixFifty offers a streamlined, affordable, user-friendly platform that helps you comply with a host of privacy laws, including the CCPA and CPRA.

Don’t be Sephora. Schedule a demo with SixFifty today.