General

Multinational Online Retailer Fined for CCPA Violation

Richard Foster
April 21, 2023

On August 24, 2022, California Attorney General announced a settlement with a multinational online retailer, Sephora, Inc. (Sephora), resolving allegations that the company violated the California Consumer Privacy Act (CCPA). This is the first settlement of a CCPA enforcement action. 

On August 24, 2022, California Attorney General announced a settlement with a multinational online retailer, Sephora, Inc. (Sephora), resolving allegations that the company violated the California Consumer Privacy Act (CCPA). This is the first settlement of a CCPA enforcement action. 

No items found.
No items found.

On August 24, 2022, California Attorney General announced a settlement with multinational online retailer, Sephora, Inc. (Sephora), resolving allegations that the company violated the California Consumer Privacy Act (CCPA). This is the first settlement of a CCPA enforcement action. 

After conducting an enforcement sweep of online retailers, the Attorney General alleged that Sephora failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the 30-day period currently allowed by the CCPA. 

Many online retailers allow third-party companies to install tracking software on their website and in their app so that third parties can monitor consumers as they shop. These third parties track all types of data – in Sephora’s case, the third parties could create profiles about consumers by tracking whether a consumer is using a MacBook or a Dell, the brand of eyeliner or the prenatal vitamins that a consumer puts in their “shopping cart,” and even a consumer's precise location. 

Sephora's arrangement with these companies constituted a sale of consumer information under the CCPA, and it triggered certain basic obligations, such as telling consumers that they are selling their information and allowing consumers to opt-out of the sale of their information. Sephora did neither.  

This settlement requires Sephora to pay $1.2 million in penalties and comply with important injunctive terms. Specifically, Sephora must:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control (GPC); 
  • Conform its service provider agreements to the CCPA’s requirements; and 
  • Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor GPC.

A GPC allows consumers to opt out of all online sales in one fell swoop by broadcasting a "do not sell" signal across every website they visit, without having to click on an opt-out link each time. Under the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link.

This settlement indicates that sharing personal information with third parties for targeted advertising or analytics purposes constitutes a sale under the CCPA, for which consumers must be offered an opportunity to opt out. It also sends a strong message that the Attorney General is serious about enforcing GPC compliance.

Autors popular articles

Product

CipherCore: the Overview

CipherCore introduces a new way of accessing and using data in which data remains confidential and allows for a robust and secure collaboration between many data owners, without disclosing their data to each other.

Ilya Razenshteyn
May 11, 2023
General

Homomorphic encryption: universality at a cost

Homomorphic encryption (HE) is a privacy technology that enables computation on encrypted data. This post covers the different types of HE, compares HE to secure multi-party computation (SMPC), and discusses the benefits and limitations of HE. The post also provides guidance on when to consider using HE for a specific use case.

Ilia IIiashenko
April 21, 2023
White Papers

HEAX: An Architecture for Computing on Encrypted Data

With the rapid increase in cloud computing, concerns surrounding data privacy, security, and confidentiality also have been increased significantly. Not only cloud providers are susceptible to internal and external hacks, but also in some scenarios, data owners cannot outsource the computation due to privacy laws such as GDPR, HIPAA, or CCPA. Fully Homomorphic Encryption (FHE) is a groundbreaking invention in cryptography that, unlike traditional cryptosystems, enables computation on encrypted data without ever decrypting it.

Sadegh Riazi
April 21, 2023