A MoFo Privacy Minute Q&A: What All Online Businesses Need To Know About The California Attorney General’s $1.2 Million Settlement with Sephora for “Sale” of Personal Information to Ad Tech and Web Analytics Providers

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: What can I learn from the California AG’s CCPA settlement with Sephora to check whether my own business’s privacy notice and opt-out mechanisms relating to online advertising and analytics meet the AG’s expectations?

Answer: On August 24, 2022, the California Attorney General (“CA AG”) announced a $1.2 million settlement with the cosmetics retail giant Sephora for its alleged failure to disclose the “sale” of consumer personal information (PI) to advertising technology (“ad tech”) and web analytics companies in its privacy notice and its alleged failure to implement corresponding opt-out mechanisms under the California Consumer Privacy Act (CCPA). According to the CA AG’s complaint, Sephora allowed ad tech and analytics companies to place cookies, pixels, and other tracking technologies collecting Internet usage information about its web and app users for Sephora’s own commercial benefit as well as for others’ benefits, and failed to detect and respond to users’ global opt-out signals.

Like many online retailers, Sephora uses behavioral advertising and web analytics services to enhance its online advertising and improve its online properties by feeding these services with consumer personal information, such as “products that consumers view and purchase, consumers’ geolocation data, cookies and other user identifiers, and technical information about consumers’ operating systems and browser types.” The CA AG broadly interpreted this transfer of PI to third parties in exchange for services and the resulting commercial benefit to Sephora and other participating companies as a “sale” under the CCPA. While the CA AG’s complaint is not entirely clear, the “commercial benefit” to Sephora appeared to be free or discounted services and/or the enhancement of Sephora’s own first-party personal information with third-party personal information—and not merely Sephora’s receipt of the analytics or advertising services from a third party. This interpretation is consistent with how we have considered the CCPA’s sale provisions.

The CA AG’s complaint highlights Sephora’s failure to disclose its “sales” to its users, provide associated opt-out mechanisms, and honor users’ Global Privacy Control signals, which are transmitted to websites by some Internet browsers when users set them to do so.

While this case does not tell us whether other kinds of online advertising and analytics would also be considered a “sale” under the CCPA, the CA AG’s interpretation might have been different if:

• The ad tech and analytics companies were not able to use the PI for their own commercial benefit or for the benefit of other companies; and/or
• The ad tech companies were pure service providers to Sephora, with service provider-style provisions included in the agreements between them. Such agreements would specify that the ad tech and analytic companies could only use the collected PI to provide services to Sephora and not for other purposes.

The settlement order requires Sephora to pay $1.2 million to the CA AG, as well as to:

• Change its online disclosures and privacy policy to reflect that it sells PI, as defined under the CCPA;
• Provide consumers with opt-out mechanisms and honor opt-outs, including via Global Privacy Control signals;
• Amend its agreements with ad tech and analytics companies that are pure service providers;
• Assess and monitor its CCPA compliance, and test it, for the next 2 years; and
• Conduct and submit an annual report to the CA AG detailing its efforts to honor Global Privacy Control signals, an overview of its PI disclosure practices, a list of third parties with which it shares PI, and documentation of agreements with such third parties.

Sephora was one of many businesses to which the CA AG sent inquiries in an enforcement sweep earlier this year. Several others cured what the CA AG viewed as non-compliance within 30 days of being notified. By curing, these businesses managed to stay out of the press and averted similar fines. However, starting January 1, 2023, the CCPA will be replaced by the California Privacy Rights Act (CPRA), which does not have a cure period. So all businesses are now under pressure to implement compliance measures before the Attorney General or the California Privacy Protection Agency comes knocking on July 1, 2023, when enforcement begins. Moreover, the CPRA introduces a new concept of “sharing,” which will require that businesses offer an opt-out from cross-context behavioral advertising regardless of whether such advertising involves a “sale.”

Furthermore, along with the announcement of this enforcement action, the CA AG also sent another sweep of notices to businesses inquiring whether they honor consumer opt-out requests made via user-enabled privacy controls like the Global Privacy Control.

Visit our A MoFo Privacy Minute Series page to view our collection of Q&As. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers on Cybersecurity, U.S. State Privacy Laws, and the GDPR + European Privacy.