The Sephora Case: Do Not Sell – But Are You Selling?

Businesses barely had time to recover from a hectic privacy summer, with U.S. privacy legislation making progress on the Hill and the U.S. Federal Trade Commission’s launch of a sweeping rulemaking initiative, when California Attorney General Rob Bonta dropped a bombshell: The first enforcement settlement under the California Consumer Privacy Act. Pursuant to the settlement, Sephora, a French cosmetics brand, will pay $1.2 million in fines and abide by a set of compliance obligations. The attorney general alleged Sephora failed to disclose to consumers it was selling their personal information; failed to honor user requests to opt out of sale via user-enabled global privacy controls; and did not cure these violations within the 30-day period allowed by the law.

At issue in the case was Sephora’s sharing of information with third-party advertising networks and analytics providers, both commonplace practices among publishers. For companies doing business in California and preparing for the California Privacy Rights Act activation in January 2023, this case marks a considerable uptick in risk. It signals the attorney general’s focus on online tracking and on implementation of and compliance with global opt-out signals, such as the Global Privacy Control.

In a news release announcing the settlement, Bonta warned, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. … There are no more excuses.” In addition, the office announced it sent notices to a number of businesses “alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC.”

Here are several observations about the decision:

  1. Choice of defendant. Perhaps symbolically, the attorney general’s first enforcement action comes not against one of the many technology companies based in the state, but rather against a French fashion brand. With European privacy regulators laser-focused on Silicon Valley, the California regulator picked a case against Champs-Elysées.
  2. Consumer surveillance. In its news release, the office states, “The settlement with Sephora underscores the critical rights that consumers have under CCPA to fight commercial surveillance.” The use of the term “commercial surveillance” is illuminating. Much like Chair Lina Khan’s FTC, which used the term extensively in its Advance Notice of Proposed Rulemaking, the attorney general is making an implicit value judgment in just naming data practices, which for now, at least, are run of the mill, as menacing “surveillance,” a term typically associated with national security agencies. The use of the term also suggests an emphasis on practices that involve tracking consumers across websites and services. Importantly, however, the CCPA places responsibility for such “surveillance” in the hands of businesses, like Sephora, that interact directly with consumers, rather than the third parties that receive and aggregate information from multiple sources.
  3. GPC, GPC, GPC. In a one-page news release, the attorney general mentioned Global Privacy Control 10 times. Bonta began his statement by saying, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights.” Clearly, the attorney general is intent on motivating businesses to implement the GPC as a one-stop-shop opt-out of data sales. Recall that a global opt-out mechanism wasn’t even mentioned in the CCPA, but rather appeared first in regulations thereunder. And that the attorney general first called for adherence with GPC in an online FAQ published in July 2021. Even the language of CPRA remains exceedingly vague with respect to the recognition of global opt-out signals, allowing businesses to voluntarily comply with “an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations” as an alternative to offering a “do not sell or share” link (rather than in addition to such a link). At the same time, the draft CPRA regulations suggest the California Privacy Protection Agency will also require businesses to comply with GPC signals even if they offer a “do not sell or share” link. Increasing emphasis on the GPC will inevitably raise questions about whether browsers can bake the GPC in by default or whether instead consumers will have to take an affirmative action to enable the signal. And, if use of the GPC becomes common, businesses will undoubtedly complain that the GPC converts an opt-out law into one that operates more like an opt-in. Be that as it may, the attorney general issued an unambiguous statement: publishers doing business in the state must honor GPC, or else..
  4. But was it a sale? The case against Sephora turns on whether the company “sold” users’ personal information, as that term is defined in CCPA to mean trading personal information for valuable consideration. If Sephora sold personal information and failed to provide a “do not sell” link or to honor “do not sell” requests, it violated the law. But did it sell? The complaint alleged Sephora had third-party trackers on the site for analytics, ad serving and retargeting purposes. However, a critical question remains unanswered, namely whether those third parties were Sephora’s “service providers.” The attorney general took the position that sharing data with a vendor in exchange for analytics or ad serving is a “sale” because Sephora “gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits,” including “the valuable option to serve targeted advertisements to the same shopper on the analytics provider’s advertising network.” But these same practices are often positioned as service provider arrangements where a business procures an analytics or ad targeting service on its own behalf. (In other words, rather than “selling” data, the business is buying a service). In this vein, Bonta suggested the alleged “sale” could have been cured by having “valid service-provider contracts in place with each third party;” but in the same breath alleged that “data about consumers is frequently kept by companies and used for the benefit of other businesses.” Importantly, publishers should take note that in order to prove that a vendor is a service provider under the CCPA, a business must put in place a service provider contract.
  5. Analytics services. While not mentioning any third-party provider by name, the complaint states “Sephora installed one widely-used analytics and advertising software package that let the analytics provider gather and keep personal information about an online shopper’s activities. The analytics provider then gave Sephora data about what shoppers did on its website or in its app, like how many people looked at a particular product. The analytics provider also would determine who the shopper was, using extensive data gathered from other sources, and then present Sephora with the valuable option to serve targeted advertisements to the same shopper on the analytics provider’s advertising network.” If the attorney general was concerned about Sephora’s use of Google Analytics, it is perplexing he did not address Google’s “restricted data processing” feature, which limits the uses of data by Google and other third parties. When Google first offered this feature, it had to be enabled by businesses implementing Google services, but now Google turns on this feature by default. This should protect a business against allegations of a data sale.
  6. Reproductive health information. The complaint states, “Sephora’s website allows visitors to browse and purchase products such as prenatal and menopause support vitamins — data points which can be used by third-party companies to infer conclusions about women’s health conditions, like pregnancy.” In the dawn of Dobbs v. Jackson, even companies that didn’t consider themselves as processing particularly sensitive information have been dragged into the political rift. Any practices that could involve reproductive health information merit close scrutiny by general counsel and chief privacy officers.

Implications for businesses

In light of the Sephora case and the strong statements issued by the attorney general, businesses should implement the following steps:

  1. Make sure you are aware of and document the presence of any third-party cookie, pixel, SDK, and such on your website or app. If you use a vendor for analytics or ad targeting, make sure to sign a service provider agreement protecting against the use of your data to benefit the vendor itself or its other customers.
  2. If you “sell” data include a “do not sell my personal information” link on the site. In addition, arrange to comply with GPC requests as do-not-sell signals. This can be done, for example, by configuring your cookie management platform to recognize GPC as an opt-out request.
  3. If your position is that you don’t sell, make sure to configure any services that offer such an option to deploy “restricted data processing” in order to minimize the risk that the data can be used and retained by the vendor for purposes other than providing services.
  4. Stating the obvious, but if a regulator allows you to avail of a right to cure, use the opportunity to fix your set-up. Sephora allegedly failed to comply even after a 30-day cure period, and this ended up being costly.

This article first appeared on August 29, 2022, on the IAPP Privacy Perspectives page.