Export Compliance Daily is a Warren News publication.
CPRA Enforcement Looms

Sephora to Pay $1.2M Over Privacy Claims; Minorities Target New Regs

California Attorney General Rob Bonta (D) took enforcement action Wednesday against cosmetics store Sephora under the California Consumer Protection Act (CCPA), as part of a sweep of online retailers. He made the announcement the same day the California Privacy Protection Agency (CPPA) held the first of two public hearings this week on draft regulations for updating the state’s privacy law.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Sephora will pay $1.2 million in a settlement with the state, Bonta said at a virtual news conference. California is sending out a dozen more notices of violation as it launches another sweep of companies failing to process opt-out requests from browser-based global privacy controls, he said. With a 30-day right to cure in the law dissolving at the end of this year, Bonta warned other businesses the “kid gloves are coming off.”

Several minority-owned businesses and the Association of National Advertisers (ANA) asked the CPPA to delay the July 2023 enforcement date for the California Privacy Rights Act (CPRA), which will succeed CCPA, since the new rules were supposed to be finalized July 2022. Black, Latino and Asian business leaders lamented compliance costs associated with the new regulations.

The agency’s estimate of $127.50 per business is “at best a lowball figure,” said ELM Strategies CEO Edwin Lombard, who consults for Black business owners. The agency’s estimate pales in comparison to the independent assessment from the attorney general’s office, which estimated the total compliance cost of the CCPA for state businesses to be $55 billion, said California Director for the National Federation of Independent Business John Kabateck.

The draft regulations would make online tools that businesses rely on “less effective” and add significant costs for daily operation, including reporting, training and recordkeeping, said Julian Canete, CEO of the California Hispanic Chambers of Commerce. The board should reconsider its enforcement deadline, return to the negotiating table and allow small businesses to be a part of the discussion, said Richard Wallace, president of the Southern California Black Chamber of Commerce: “We’re already down to the bare bones in trying to survive and getting our businesses up and running. Decisions like this that don’t involve the community don’t allow us to be a part of what we’re trying to grow.” The agency has held several prerulemaking sessions in addition to this week’s hearings that allow public participation, said CPPA attorney Brian Soublet, Wednesday’s hearing officer: “I just want to make sure that the record reflects that.”

There hasn’t been any “communication about whether the agency will extend the enforcement deadline to ensure businesses have a full year to comply, as intended by Proposition 24,” said Andrea Cao, California Asian Pacific Chamber of Commerce public policy manager. ANA Government Relations Manager Travis Frazier requested a full year after the regulations have been finalized for companies to comply before enforcement begins.

We don’t understand this complex regulatory framework, therefore we don’t know how to ensure compliance,” said Wild Fern Marketing owner McKenzie Lombard, citing the threat of lawsuits. If the regulations are too confusing, the “simple decision not to sell consumers’ personal information for the purposes of invasive and privacy-violating, cross-context behavior advertising is quite a simple decision to make,” said California resident Andrew Alsup.

The CPPA needs to provide guidance on definitions for dark patterns, deceptive language and design and categories of sensitive personal information, Consumer Watchdog Tech and Privacy Advocate Justin Kloczko wrote in comments to the agency. The group applauded the inclusion of a global privacy preference signal. “The global preference signal is an easy, fluid way for users to notify all businesses of their privacy preferences,” said Kloczko.

The draft regulations establish opt-out preference signals that contradict what’s stated in the CPRA by requiring businesses to recognize global opt-out preference signals, the Computer & Communications Industry Association said in comments. The statute allows businesses to choose to provide links for consumers to opt out or share disclosures or recognize universal opt-out preference signals. The draft regulations make honoring global opt-out provisions mandatory, CCIA said. It’s important to allow “flexibility on various details like how they comply with provisions to notify third parties of consumers’ preferences so as not to inhibit new tech features and innovation,” said CCIA State Policy Director Khara Boender.

Consumer groups spoke against the draft regulations’ inclusion of “frictionless” and “non-frictionless” methods for processing consumers’ opt-out preferences, in joint comments. The Electronic Frontier Foundation, the Consumer Federation of America, Consumer Action, ACLU California Action, the Privacy Rights Clearinghouse, Oakland Privacy, the Media Alliance and Access Humboldt signed. The frictionless method prohibits companies from charging fees, degrading service or badgering users with pop-ups when selecting preferences, the groups wrote. The non-frictionless method isn’t defined and opens the “floodgates” for “deceptive and manipulative design from companies who will take every opportunity to deprive consumers of their privacy and their ability to make simple choices to protect themselves,” they wrote.

Coming CPPA enforcement of CPRA will mean “another set of eyes and resources to protect consumers,” said Bonta, the attorney general: The AG office looks forward to working with the new agency. “Certainly there is overlap,” he said, “but multiple watchdogs on the block … is a good thing.” Federal privacy legislation should “apply as a floor, not a ceiling,” and not preempt California, Bonta said. "What we are trying to avoid is a scenario where the protections in the federal legislation are weaker than the protections currently in place in California.” The Sephora action could have been impossible with a preemptive federal law that didn’t require companies to honor global opt-out signals, he said.

California’s action against Sephora should send a message to other businesses, said Bonta: “We will not hesitate to enforce the law." The retailer violated CCPA by failing to disclose to consumers it was selling their personal information, making it available online to third-party trackers in exchange for targeted advertising and discounted analytics, said the AG: And it failed to process opt-out requests from user-enabled global privacy controls. Sephora didn’t correct violations within 30 days of receiving notice, said Bonta. In addition to monetary penalties, Sephora agreed to clarify its privacy policy and online disclosures to say it sells data and to honor global opt-out requests, he said. The settlement is pending court approval.

"Sephora respects consumers’ privacy and strives to be transparent" about how personal data is used, a spokesperson said: Sephora uses data "strictly" for itself, but the CCPA doesn't define sale "in the traditional sense of the term." Sephora wasn't "the target or victim of a data breach," and the settlement doesn't "constitute an admission of liability or fault by Sephora," the spokesperson said. "We have always cooperated fully with the [attorney general] and Sephora’s practices are already in compliance with the CCPA." Consumers can opt out on Sephora's website or by using a browser's global privacy control, the spokesperson said.