California Attorney General Bark Turns to Bite as First CCPA Settlement Includes Monetary Penalty
8 min read
In a long anticipated development, on August 24 California Attorney General Rob Bonta ("Cal AG") announced the state's first monetary penalty under the California Consumer Privacy Act ("CCPA"), in a settlement with the beauty products retailer Sephora USA, Inc. ("Sephora"). Under the settlement, Sephora will pay a US$1.2 million penalty and must implement measures to comply with the CCPA, including clearly disclosing on their website that they sell personal information to third parties, providing consumers with methods to opt out of the sale of personal information, and ensuring their contracts with service providers comply with CCPA requirements. Importantly, the penalty imposed by the Cal AG finally gives the CCPA some teeth in its efforts to enforce the CCPA's requirements, which should only grow sharper as business lose the right to automatically cure noncompliance on January 1, 2023, when the California Privacy Rights Act ("CPRA") goes into effect. As such, businesses should work to address any CCPA and CPRA compliance gaps before the buffer provided by the cure provision expires.
Sephora Action and Claims
While the Cal AG has been active in investigating companies since the CCPA became enforceable in July of 2022, until now it had yet to issue a penalty for noncompliance with the CCPA. The Cal AG's action against Sephora arose out of a broad California Department of Justice enforcement sweep of online retailers, begun in June 2021, which focused specifically on whether online retailers were recognizing and processing requests to opt out of selling personal information that individuals communicated with Global Privacy Controls ("GPC"). On June 25, 2021, the Cal AG notified Sephora that it may be in violation of the CCPA and directed the Company to cure the violations within the 30-day cure period. When the company allegedly did not cure the violations within 30 days, the Cal AG launched an investigation. Following its investigation, the Cal AG filed a complaint against Sephora on August 23, 2022 and entered into a settlement the next day.
In the complaint against Sephora, the Cal AG alleged that the company violated the CCPA by failing to inform consumers on its website that it "sells" their personal information and that consumers have the right to opt out of that sale. Section 1798.140 (t) of the CCPA defines "sale" broadly and includes the transfer of personal information for "anything of value", which, according to the complaint, includes "free or discounted advertising benefits" resulting from online retailers making consumer information available for tracking by third parties. While the complaint acknowledges that Sephora does disclose in its privacy policy that it sells personal information, it alleges that the company's separate online link to privacy information for California residents expressed that Sephora does not sell personal information.
The Cal AG further alleges that Sephora failed to facilitate consumers' right to opt-out of sales, where it did not provide a "Do Not Sell My Personal Information" link on its website nor in its mobile app, and because it failed to process users' opt-out preferences that were electronically communicated by GPC signals. With regard to GPC, the Cal AG specifically alleged that in their testing of Sephora's website the use of GPC did not result in any discernible effect on the browsing experience, leading them to conclude that the website was not processing GPC requests.
In addition, the Cal AG alleges in the complaint that Sephora "did not have valid service-provider contracts in place with each third party" advertising and analytics providers. This is significant because a business's sharing of personal information with a service provider is not considered a "sale" under the CCPA. In the absence of service provider contracts with these third party advertising and analytics providers, the Cal AG alleged that Sephora's disclosure of personal information to those third parties constituted a "sale."
Settlement Terms
The settlement was filed on August 24, 2022. The terms of the settlement provide insight on how the Cal AG will (and California Privacy Protection Agency might) structure future settlements covering noncompliance with the CCPA or CPRA. In many ways, the form of the settlement and relief resembles settlements issued by other regulators for alleged violations of data privacy requirements. In addition to the US$1.2 million monetary penalty, Sephora specifically agreed to:
- revise its privacy policy and online notices to inform consumers that it sells personal information and that consumers have the right to opt out of such sales;
- process consumer requests signaled from GPC to opt out of selling their personal information;
- implement and maintain a program to monitor processing of consumer opt-out requests;
- review entities with which it shares personal information and ensure it has the necessary service provider contracts in place; and
- for a period of two years, report annually to the Cal AG on its efforts to process consumer requests to opt-out of the sale of personal information, including through GPC, and on its relationships with service providers.
Lessons Learned
In imposing the US$1.2 million penalty, the Cal AG signaled that it is not afraid to impose harsh remedies on non-compliant businesses and will continue its enforcement activity before and after the CPRA become effective on January 1, 2023. Indeed, the Cal AG also issued new examples of areas of focus for enforcement activity, including the adequacy of privacy policy disclosures relating to privacy practices and notices of financial incentives. The monetary penalty here should serve as a wake-up call for businesses to review their compliance with the CCPA and the upcoming CPRA. Importantly, the phasing out of the 30-day cure period after Jan. 1, 2023 means all companies with online consumer operations will need to proactively adhere to all CPRA requirements. As Attorney General Bonta noted, "my office is watching, and we will hold you accountable. It's been more than two years since the CCPA went into effect, and businesses' right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."
As we have previously described with regard to CCPA and CPRA compliance, depending on a business' current level of implementation, the necessary compliance obligations could range from a few updates to your existing data privacy compliance program to a more comprehensive implementation need. Several takeaways from the settlement are worth mentioning:
- Respect Consumer Use of Global Privacy Controls. As the Cal AG has emphasized for the past year, businesses must implement technology to recognize and accept consumer technology that permits consumers to universally opt-out of the sale of their personal information (Global Privacy Controls). Businesses must accept and process these Global Privacy Controls to have the same effect as a consumer's use of a "Do Not Sell My Personal Information" link;
- Third Party Tracking is a "Sale". The Cal AG has continued to broadly interpret the definition of "sale" to include a business permitting third parties to track consumers on their website. In its complaint against Sephora, the Cal AG claimed that Sephora sold personal information when it "gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits." As such, companies should be mindful of the Cal AG's stance on this issue when determining whether they sell personal information under the CCPA. Any benefit received from a third party that receives personal information from a business may be seen as a "sale" in the eyes of the Cal AG. If a "sale" is taking place, a business should offer legally compliant methods for California consumers to opt out. It is worth noting that this interpretation of "sale" under the CCPA is more clearly defined in the CRPA which identifies such tracking activity as "sharing" and imposes similar obligations on businesses;
- Service Provider Contracts Must Comply with CCPA Content Requirements. Arrangements with third parties who process personal information on behalf of a business should include written agreements that contain provisions limiting the third party's retention, use or disclosure of the personal information to the purpose of performing services. The absence of an agreement with such provisions creates a risk that the personal information provided or made available to third parties could be considered a sale under the CCPA. However, where such language is incorporated into relevant agreements, a business can take the position that the CCPA's service provider exception to a sale applies which relieves the business of obligations to facilitate a consumer request to opt-out of the sale of this personal information. Businesses should remain mindful that the CPRA will impose additional content and form requirements for service provider contracts when it takes effect on January 1, 2023; and
- CCPA Violations Can Occur During Each Website Visit. The Cal AG took the position in its complaint that Sephora violated the CCPA each time a California consumer visited the Sephora website while the company was not compliant with the CCPA's requirements. This had previously been an area of ambiguity under the CCPA. Under this approach, the Cal AG may claim significant damages during settlement negotiations with businesses who are accused of violating the CCPA.
The CCPA and upcoming CPRA compliance requirements encompass much more than those areas of noncompliance identified in the settlement here. With stiffer enforcement, less certain cure rights and the January 1, 2023 CPRA effective date looming, businesses would do well to evaluate compliance and address any gaps under California's data privacy laws.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP