California fines Sephora $1.2 million for data privacy violation

Marking the first enforcement of the landmark California Consumer Privacy Act, the state attorney general Wednesday announced a $1.2 million fine against French beauty care retailer Sephora for failing to tell consumers their data was being sold or give them a means to opt out of its collection.

As part of a settlement, Sephora must improve its transparency, clarify its opt-out provisions and provide reports to the Attorney General’s office on its sales of personal information.

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” Attorney General Rob Bonta said. “My office is watching, and we will hold you accountable.”

Sephora said in a statement Wednesday that the company “respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience.” The company added that it is currently in compliance with the data privacy act and that the settlement “does not constitute an admission of liability or fault by Sephora.”

The California Consumer Privacy Act was sponsored by Bay Area real estate developer Alastair Mactaggart after he became alarmed at how much personal consumer data companies collect and sell. The legislature passed, and Gov. Jerry Brown signed the initial version in 2018 to head off a threatened ballot measure.

The law, a national first which aimed to give consumers protections like those adopted in Europe, took effect in January 2020. But Mactaggart’s concerns that business lobbyists were watering it down led to a ballot measure California voters approved in November 2020.

Mactaggart said he was encouraged by Wednesday’s enforcement announcement.

“It’s great to see him enforcing the law,” Mactaggart said. “The companies have had a long time and now should start complying.”

Critics have complained the privacy law would saddle businesses with onerous compliance costs, putting smaller companies at a disadvantage.

Sephora said Wednesday that it uses consumer data only “for Sephora experiences,” and the settlement arose from a misunderstanding of what California’s law requires. The act, Sephora said, “does not define ‘sale’ in the traditional sense of the term” but includes “common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora recommendations, personalized shopping experiences and ads.”

Sephora also said online consumers have the opportunity to opt out of this personalized shopping experience by clicking a “CA — Do Not Sell My Personal Information” link on the Sephora.com website or by using a browser that broadcasts the global privacy control. The global privacy controls offered by some browsers let consumers signal privacy preferences to a host of websites at once rather than one at a time.

Bonta said that an attorney general enforcement sweep of online retailers found Sephora had failed to disclose to consumers it was selling their personal information and had failed to process user requests to opt out of that sale via user-enabled global privacy controls. When notified of the problems, Sephora did not correct them within the 30-day period the law currently requires, he said.

Bonta said his office has sent more than 112 companies notices that they have been found in violation of the data privacy act.