California data privacy law shuts down Sephora and sets the stage for the future

The recent first application of the California Consumer Privacy Act (CCPA) paved the way for nationwide data privacy regulation and how companies could navigate the collection and use of customer data, including its sale to third parties.

Personal care and beauty products retailer Sephora has agreed to pay a $1.2 million fine as part of a settlement with California in response to a lawsuit filed by Rob Bonta, the Attorney General of California. State. The charges alleged that Sephora failed to notify consumers that their personal information was being sold while stating on its website that it does not sell personal information. The complaint further alleged that Sephora did not provide an easy-to-find link on the web or its app that customers could use to opt out of the sale of their personal information.

More regulations are beginning to grab privacy and data collection, though enforcement may be a drip, for now, rather than a flood, says Cobun Zweifel-Keegan , chief executive of the International Association of Privacy Professionals (IAPP) in Washington, DC The Sephora settlement, however, shows that the state is actively enforcing the law. “It shouldn’t come as a complete surprise to anyone who has been following…the way California regulators have spoken about their interpretations of [CCPA],” he says. “It’s about bringing those interpretations to life and making it clear that there are enforcement powers behind the CCPA requirements.”

Zweifel-Keegan says introducing more enforcement agencies will likely lead to more cases, including in other states such as Colorado, which is finalizing its data privacy regulations.

The California Attorney General’s focus on “Do Not Sell” and the use of ad vendors was also not where the community expected regulators to act first, says Daniel Barber, CEO of DataGrail. “I don’t think Sephora’s response was what the community actually expected,” he says. “That kind of sent shockwaves through the industry.”

The AG’s rulings may have pissed off privacy professionals, Barber says, and raised questions about ad technology that relies on customer information, which companies might view as collection and processing rather than like a sale. “Any business that uses ad providers really thinks about whether they’re selling information or not,” he says.

What constitutes a sale?

There are different perspectives, Barber says, on what constitutes a sale. For example, what if information is exchanged between companies without money changing hands? “Many members of the community would have argued that this was not about ‘selling’ information,” he says. “Now it’s very clear that the AG intends to take a position on this particular definition, a definition of ad technology, included in the concept of ‘Do Not Sell’.” Other state-level regulations may have similar constructs to CCPA, Barbier says. “The impact will continue over the coming months.”

Data collection and privacy is an increasingly complex issue that has come to include concerns about how consumers are targeted by advertisements, judged by financial lenders, and the inferences that might be made about the women’s health as many states pass anti-abortion laws.

Some of the language in the complaint and California’s settlement with Sephora helps define the outlook that regulators might take. For example, the California complaint cited tracking software on Sephora’s website and app that allowed third parties to monitor consumers, give companies insight into the types of computers consumers use, their personal location and the types of products added to their online shopping carts. Third parties could then present analytics based on this information to Sephora to better target digital advertisements.

There is more regulatory legislation in the works. For example, California lawmakers are working on a privacy law to prohibit the creation and use of so-called addictive features on social media. California is also working on protecting the privacy of minors who go online. “They’re really designed around child and teen safety,” says Zweifel-Keegan. “They have privacy implications in that they will impact how companies collect and process personal information.”

Monitoring practices

California regulators went on to describe these practices as “third-party surveillance,” which is comparable to the Federal Trade Commission recently calling “commercial surveillance” in reference to the collection, analysis, and commercial profit from data. collected from the public.

Zweifel-Keegan says organizations should have contracts between data controllers and data processors or between companies and their service providers to specify what the purpose of processing customers’ personal information is and what the limits should be. “This is something that came up in the Sephora case because it appears that certain third-party entities may be collecting personal information through publisher websites,” he said.

There is also the issue of presenting clear options for customers to opt out of having their information collected and sold. The privacy community, Zweifel-Keegan says, is thinking about what it means to offer usable choice mechanisms for consumers with discussions about how they’re presented. “There’s a lot of talk about ‘choice fatigue’ — having too many pop-ups, too many questions,” he says. “It makes consumers not necessarily feel like they’re in the driver’s seat.”

Zweifel-Keegan says Sephora’s deal with California puts into perspective that data collection, privacy and related analytics are likely to come under greater scrutiny across the market. “It’s not just big tech that needs to think about privacy,” he says. “It’s a clear message that California is sending by going to a company like Sephora.”

What to read next:

What the FTC’s Data Collection and Security Review May Mean

Can data collection persist despite post-Roe privacy issues?

Roe v. Wade and the New Data Privacy Trouble

What the federal privacy policy might look like if adopted