The office of the California Attorney General (“AG”) has sent a clear message that it is serious about enforcing the California Consumer Privacy Act (“CCPA”) and that “the kid gloves are coming off” with respect to businesses that fail to comply with the law. On August 24, 2022, the AG concluded its first ever enforcement action under the CCPA, settling with cosmetics retailer Sephora, Inc., for $1.2 million over allegations that Sephora failed to disclose that it sells consumers’ personal information to third parties through its use of cookies and other tracking technologies and did not process consumer “opt-out” requests made via user-enabled global privacy controls.

The settlement highlights the AG’s position that use of third-party cookies for targeted advertising is a “sale,” unless an exception applies.

---

What Happened?

The settlement against Sephora arose out of the AG’s “enforcement sweep” of online retailers. Despite the AG notifying Sephora of alleged CCPA violations, Sephora failed to cure those violations within the 30-day cure period currently allowed under the CCPA. Specifically, the AG determined that Sephora violated the CCPA by doing the following:

• Failing to disclose to consumers that Sephora sold their personal information, despite deploying third-party tracking technologies (including cookies, pixels, and software development kits) on its website that monitored consumers while they shopped and automatically sent data about consumers’ online behavior to the third-party companies. In exchange for its shoppers’ personal information, Sephora received analytics data and an opportunity to serve targeted advertisements to the same shopper through the third-party’s advertising network. The enforcement action makes clear that the AG broadly interprets the term “sale” under the CCPA and applies it to “[b]oth the trade of personal information for analytics and the trade of personal information for an advertising option.”
• Failing to provide consumers with methods to opt-out of the sale of their personal information. Under the CCPA, California consumers have the right to opt-out of the sale of their personal information and businesses are required to provide consumers with at least two methods to submit opt-out requests, including via a mandatory “Do Not Sell My Personal Information” link conspicuously posted on its website homepage. Additionally, an often-overlooked regulation requires businesses that collect personal information online to “treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request.” In addition to failing to post a “Do Not Sell My Personal Information” link on its website homepage, Sephora failed to respond to or process consumer opt-outs via global privacy control signals.

The settlement requires Sephora to:

• Update its disclosures, including its privacy policy, to state that it sells personal information;
• Provide consumers with mechanisms to opt-out of the sale of their personal information and recognize global privacy control signals;
• Incorporate CCPA-specific terms in its service provider agreements; and
• Provide reports to the AG on progress regarding the above requirements.

What Are the Takeaways?

First and foremost, the settlement shines a light on the AG’s expansive reading of a “sale” of personal information under the CCPA. The CCPA defines a “sale” of personal information as the disclosure of consumer personal information by a business “to another business or a third party for monetary or other valuable consideration.” Because Sephora gave companies access to consumers’ personal information in exchange for free or discounted analytics and advertising benefits, Sephora effectively “sold” the personal information to the third party tracking services. Notably, Sephora did not have valid service provider contracts in place with each third party, which is one exception to a “sale” under the CCPA. 

Second, the AG is serious about enforcing businesses’ recognition of global privacy controls, such as the Global Privacy Control (“GPC”). A user-enabled global privacy control is a tool that allows the consumer to signal their opt-out request on websites they visit without having to manually request to opt-out of the sale of their personal information on each website. While user-enabled global privacy controls typically take the form of a browser plug-in, the AG’s office has stated that the regulation is “technology-neutral” and “does not prescribe a particular mechanism or technology.” The AG has singled out the GPC as one mechanism that satisfies the legal requirements and should be recognized. The GPC is a specification that was developed by a broad coalition of stakeholders, including the current executive director of the California Privacy Protection Agency and other web publishers, technology companies, browser vendors, extension developers, academics, and civil rights organizations.

What Steps Should Businesses Take Now?

Given the above, businesses subject to the CCPA should take the following steps to ensure compliance:

• Review your use of third party tools, such as cookies and pixels, to determine whether you “sell” personal information. If you do not have CCPA service provider language incorporated into the contract with the third party service provider, sharing of consumers’ personal information with the third party could constitute a “sale” unless another exception applies under the CCPA. Remember that a “sale” doesn’t necessarily require any money to change hands, and your use of common analytics and advertising cookies and other tracking technologies could mean that you “sell” personal information.
• Ensure that your privacy policy is up-to-date with your current data sharing practices. If your review of third party tools reveals that you engage in a “sale” of personal information, make sure that your privacy policy states that you “sell” personal information. 
• Ensure that you provide consumers with other opt-out methods if you engage in a “sale” of personal information, including through recognition of global privacy control signals. Businesses are required to provide consumers with at least two methods to opt-out of the sale of their personal information. Businesses that sell personal information must include a “Do Not Sell My Information” link on their homepage, which should allow the consumer to opt-out of the sale. Additionally, businesses that collect personal information from consumers online must treat user-enabled privacy controls, such as the GPC, as a valid request to opt-out of the sale.

While under the CCPA businesses are entitled to a 30-day cure period after notification of non-compliance, once the California Privacy Rights Act (“CPRA”) comes into effect January 1, 2023, the cure period will be discretionary.

How can GD help?

If you have any questions regarding this client alert or need assistance with evaluating your obligations under the CCPA, please reach out to your Gunderson Dettmer attorney or contact one of our data privacy experts:

Anna Westfelt   (650) 463-5367   awestfelt@gunder.com

Cecilia Jeong    (646) 490-9094   cjeong@gunder.com

Frida Alim         (415) 801-4921   falim@gunder.com

James Gately   (617) 648-9313   jgately@gunder.com

Brian Hall        (415) 801-4898   bhall@gunder.com