In the first public enforcement action of California’s landmark data-privacy law, the state’s attorney general on Wednesday announced a $1.2 million settlement with Sephora Inc.
The state accused Sephora, which is owned by LVMH SE
of failing to disclose to customers that it sells their personal information; failing to process users’ requests to opt out of having their personal information sold; and failing to act to correct its violations within 30 days, as currently allowed by the California Consumer Privacy Act.
In a news conference Wednesday, California Attorney General Rob Bonta said his office has been doing investigative sweeps of online retailers to check their compliance with the CCPA and had sent out more than 100 notices of violations. A “vast majority” of businesses changed their behavior to comply with the law once they received the notices, he said.
According to the complaint by Bonta’s office, “Sephora did not tell consumers that it sold their personal information; instead, Sephora did the opposite, telling California consumers on its website that ‘we do not sell personal information.’ “
“[Sephora’s] actions compared to others was egregious,” the attorney general said in the news conference. “This was an appropriate and fitting set of circumstances for them to face.”
Sephora does not admit guilt or liability for any of the allegations, according to the settlement. A spokeswoman for the company said Wednesday that “Sephora uses data strictly for Sephora experiences,” and that consumers have been able to opt out of a “personalized shopping experience” since November 2021. She added: “We have always cooperated fully with the OAG and Sephora’s practices are already in compliance with the CCPA.”
The CCPA is a first-in-the nation law that was passed in 2018 and went into effect in 2020. It gives Californians the right to know what information a business collects about them and shares; the right to delete personal information collected from them; the right to opt out of the sale of their personal information; and the right to not be discriminated against for exercising all the rights the CCPA gives them.
Explainer: What California’s landmark privacy law does, what has changed and what it means for investors
Since the passage of the California privacy law, a few other states have passed similar laws and a federal bill is making its way through Congress. Last month, Bonta and other state attorneys general urged Congressional leaders to ensure any federal legislation does not pre-empt state laws.
See: The long-awaited U.S. data-privacy bill appears to be on track, again
Bonta said his office sent out a dozen more notices of violations Wednesday. He also warned that after the end of the year, businesses will lose their 30-day window to comply with the CCPA.
“Businesses will have to comply from the outset,” he said. “It is not a suggestion. It’s the law and must be complied with.”
Besides paying the settlement amount and correcting its behavior to comply with the law, the beauty-products company must also, within 180 days of the effective date of the judgment and for the next two years afterward, provide annual reports to the attorney general about its sale of personal information, how it is processing opt-out requests and more. The settlement is pending court approval.