Following an enforcement sweep by the Attorney General it was found that Sephora failed to disclose to their consumers that they were selling their personal information. It is required by the CCPA that consumers are notified if their information is going to be sold to a third party so they can opt-out of the sale if they wish to. Visitors to Sephora’s website were being tracked by third parties that could create profiles about them.
CCPA Compliance Program
A compliance program has been created with Sephora to ensure they effectively comply with the CCPA going forward. For 2 years following the effective date of the settlement Sephora shall:
- Implement and maintain a program to assess and monitor whether it is effectively processing consumers’ requests to opt-out of the sale of their personal information
- Including requests submitted via user-enabled Global Privacy Controls (GPCs)
- Annually report the results of its assessments that include:
- A detailed overview of the testing it has done to assess and monitor its processing of consumer opt-out requests; and
- An analysis of any errors or technical problems encountered in processing consumer opt-out request. Including steps taken to fix or remediate those errors or problems
- Conduct an annual review of its website and mobile apps to determine which entities it makes personal information available to
- Document and annually report the results of its website and app review, which includes:
- Names of entities to which it makes available personal information
- Personal information made available to these entities
- Purpose for making information available to these entities
- Whether it characterizes these entities as service providers.
For entities that Sephora contends are service providers, they will need to enter into contracts with them and document those contracts in their annual report. For entities that are not service providers, Sephora must do any of the following:
- Enter into or amend its contract with the entity to render it a valid service provider; or
- Cease making personal information available to that entity.
For entities that have a specific contractual agreement with Sephora, it shall:
- Enable restricted data processing for all consumers, including in its implementation of the GPC; or
- Cease making personal information available to the entity.
Sephora had a 30-day cure period provided under the CCPA to fix the problems but failed to do so. As such the Attorney General has proposed this settlement of $1.2 million. Sephora have agreed to pay the penalties for their CCPA violations. The proposal is now with the Superior Court for approval.
If you would like to learn more about the CCPA, click here.