This article is more than 1 year old
Sephora to pay $1.2m to settle Cali privacy law claims – and why this is a big deal
Online shops sharing data about you with others qualifies as a sale in AG's book – and that means rules apply
Sephora has agreed to cough up $1.2 million to settle claims it broke California's privacy law.
This is the first pay out the US state has secured using the relatively new legislation – and will be a shot across the bows of corporations selling information about people without their full consent.
The settlement follows Cali Attorney General Rob Bonta's year-long "enforcement sweep," in which he probed Sephora and other businesses to see if any of them were falling foul of the California Consumer Privacy Act (CCPA).
According to the legal eagle, the multinational makeup emporium failed to properly disclose to people that it was selling data about them. Sephora also failed to process people's requests to opt out of the sale of this info, in violation of the state's privacy law, Bonta alleged. We're told Sephora also ignored the wishes of netizens who signaled via a Global Privacy Control (GPC) supporting browser or extension that they did not want their personal data sold.
Sephora, according to court documents [PDF], granted third-party companies including advertising networks and data analytics providers access to its customers' online activities in exchange for advertising or analytic services. This allegedly allowed these third parties to create profiles of netizens by tracking whether they, for instance, used a MacBook or a Dell, the brand of eyeliner they bought, or even which prenatal vitamins they added to their online shopping cart, as well as their precise location.
According to Bonta, this constitutes a sale of consumer data. "Both the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA," the lawsuit argued.
Sephora, for its part, disagrees.
"Sephora respects consumers' privacy and strives to be transparent about how their personal information is used to improve their Sephora experience," a spokesperson told The Register, adding that "Sephora uses data strictly for Sephora experiences."
The issue, according to the beauty behemoth, is that the CCPA doesn't define "sale" in the traditional sense.
"'Sale' includes common, industry-wide technology practices such as cookies," the spokesperson told us, "which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.
"Consumers have the opportunity to opt-out of this personalized shopping experience by clicking the 'CA – Do Not Sell My Personal Information' link on the footer of the Sephora.com website or by using a browser that broadcasts the Global Privacy Control."
Opt-out, who dat?
Sephora further claimed it has allowed people to opt-out of the sale of personal info, including via the GPC, since November 2021.
The state's investigation, meanwhile, used browser extensions to monitor network traffic involving third-party advertising and analytics providers when visiting Sephora's dot-com, and then looked at how that traffic changed when consumers turned on the GPC — essentially telling Sephora: do not sell my info. According to the court document, Sephora's site ignored that signal:
In investigating Sephora's website, the Attorney General found that activating the GPC had no effect and that data continued to flow to third-party companies, including advertising and analytics providers. Subsequent testing confirmed that Sephora's website took no action to block the transmission of personal information even when a California consumer signaled their opt-out using the GPC. In short, Sephora completely ignored the GPC.
"I hope today's settlement sends a strong message to businesses that are still failing to comply with California's consumer privacy law," Bonta said in a statement this week. "My office is watching, and we will hold you accountable."
- Global Privacy Control emerges as latest attempt to let netizens choose whether they want to be tracked online
- National data privacy law for the US clears first hurdle
- FTC ponders proper punishment for commercial data 'surveillance' and shoddy security
- Facebook hands over chats to cops in post-Roe abortion case
In addition to paying a $1.2 million fee, the settlement [PDF] also requires the global retailer to clarify its online disclosures and privacy policy to make it clear that it sells data, and provide ways for netizens to opt-out of this, including via the GPC.
Sephora also agreed to change its service provider agreements to meet CCPA requirements and provide reports to the attorney general relating to its sale of personal information.
Biz put on notice
"The enforcement against Sephora has two pretty big features," Forrester Research analyst Stephanie Liu told The Register. "The first one is that the attorney general is defining the sale of data really broadly."
The debate over what constitutes a sale of consumer information under the CCPA has been ongoing, even prior to the law taking effect in 2020. It's worth noting, however, that the California Privacy Rights Act (CPRA), which expands the CCPA and goes into effect in January 2023, also mandates companies not "share" folks' personal information with third parties.
"The AG is saying that Sephora is capturing useful data on you and sharing it with other companies, which qualifies as a sale in his book," Liu said. "And so that is really noteworthy."
Will GPC gain traction?
The second interesting data point in the settlement, according to Liu, is its inclusion of the GPC.
"It's saying that Sephora didn't honor users' Global Privacy Control settings as a signal to opt out of selling their information, and that's a win for privacy advocates," she added.
"The Global Privacy Control has been an idea for a couple of years now, and it still hasn't been widely adopted — it's not in Google Chrome, for example," Lui said. "This clearly signals that the California AG takes it seriously and is already considering it to be valid as a form of opt out."
Plus, the enforcement action comes at a time when data privacy has become a hot-button issue with advocates and lawmakers sounding alarms about how digital data, such as geolocation, search history, private chats, and even purchases can be used to snoop on and prosecute people.
Post-Roe privacy implications
This was the case for a Nebraska mother and teenage daughter when Meta, after being served with a subpoena, handed over private Facebook chats between the women that were later used to build a criminal case against the daughter for getting a now-illegal abortion in her home state.
Bonta specifically draws attention to post-Roe data privacy issues in the state's lawsuit against Sephora:
The ramifications of this third-party surveillance can go beyond ordinary consumer profiling. Sephora's website allows visitors to browse and purchase products such as prenatal and menopause support vitamins — data points which can be used by third-party companies to infer conclusions about women's health conditions, like pregnancy.
California's enforcement action, and requiring companies to allow consumers to opt-out of the sale of their data, is a positive move for the state's consumers — "and for all of us," EFF Senior Legislative Activist Hayley Tsukayama told The Register.
"Respecting consumer choices about data is more important than ever, given the way information flows through the opaque data ecosystem," Tsukayama said. "A lot of information — even what cosmetics we're buying — can reveal sensitive things about our health."
"We're also glad to hear the attorney general has made, in his words, an 'enforcement sweep' examining other potential violators of the CCPA," she continued. "Most of the enforcement for the CCPA rests in the attorney general's hands, and it's important to pursue these types of violations strongly." ®