Cosmetics Giant Sephora to Pay $1m+ Privacy Settlement

One of the world’s biggest cosmetics retailers has agreed to pay $1.2 million in penalties and take corrective action after falling foul of the California Consumer Privacy Act (CCPA).

Announced by the state’s attorney general, Rob Bonta, this week, the settlement by Sephora is part of the administration’s efforts to enforce a law that came into force over two years ago.

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” said Bonta in a statement.

“My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Owned by French luxury goods giant LVMH, Sephora was accused of failing to disclose to consumers that it was selling their personal information and failing to process user requests to opt out of this sale via user-enabled global privacy controls. The firm did not correct these issues within the 30-day period stipulated by the CCPA.

Thanks to online tracking software on Sephora’s website and app, third parties with which the firm struck commercial deals can create consumer profiles including details such as precise location, shopping basket contents and what device customers are using.

As part of the settlement, Sephora has agreed to:

  • Clarify its privacy policy to state that it sells data
  • Provide a way for consumers to opt out of the sale of personal information
  • Tweak its service provider agreements to meet the CCPA’s requirements
  • Provide reports to the attorney general relating to its sale of personal information and the status of its service provider relationships

A “number” of other businesses have also been targeted by Bonta and will have 30 days to comply with the CCPA.

The CCPA is narrower in scope and jurisdiction than the GDPR. However, it represents the first attempt by a state to improve privacy protections for consumers, while handing them more rights over how their personal information is used.

What’s Hot on Infosecurity Magazine?