Sephora Action Portends 'Aggressive' Calif. Privacy Enforcement: Lawyers
Businesses may need to reconsider their strategies for complying with California privacy law after Attorney General Rob Bonta’s summer action against Sephora signaled aggressive enforcement by the state, attorneys said in interviews. Privacy compliance work is especially urgent with California’s 30-day right to cure going away Jan. 1 and more state laws taking effect in 2023, the lawyers said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The Democratic AG took action against Sephora under the California Consumer Protection Act (CCPA), as part of a sweep of online retailers. The cosmetics retailer agreed to pay $1.2 million to settle the complaint. A new entity, the California Privacy Protection Agency (CPPA), will join state enforcement efforts after CCPA’s sequel, the California Privacy Right Act (CPRA), takes effect Jan. 1. State privacy laws also taking effect next year are in Virginia Jan. 1, Colorado and Connecticut, July 1, and Utah Dec. 31.
Bonta took “a very, very broad definition of selling, and it’s clear that Sephora did not take a similarly broad definition when it built out its compliance strategy,” said Wiley attorney Joan Stewart. “Businesses need to go back and look at how they defined selling as they implemented CCPA.” It seems the AG’s view is that selling includes “any transmission of consumer personal information to a third party where you receive a benefit from the arrangement,” said Stewart: Many companies use digital analytics that may be covered by the law. “Any time a third party is accessing your data, you need to look at that with increased scrutiny, and any time a consumer is trying to communicate their request for how you use their data, you need to make sure that you’re receiving those requests and processing them.”
“Businesses operating in California should update their privacy policies or they risk noncompliance,” said Farella Braun's Michelle Kao. Going after a French multinational company like Sephora shows the AG is casting a wide net, the attorney said. “It’s not just homegrown, local California companies,” she said. The Sephora action definitively says that businesses must accept signals from the global privacy control (GPC), a browser-based toggle that allows consumers to opt out by default, she said.
The Sephora action shows businesses must honor GPC signals and treat “most common analytics as a sale,” said Gregory Szewczyk of Ballard Spahr. “These have been issues that a lot of companies have kind of thought were more 2023 issues,” but it turns out they are “live enforcement issues.” It was surprising GPC was a focus since Mozilla Firefox is the only mainstream browser that currently supports it, said the privacy lawyer: The AG’s complaint didn’t specify what analytics Sephora was using but “made very clear” that “using an analytical tool where the third party will have access to any of the data constitutes a sale, whether it’s for advertising or … just for the access to analytics.”
The definition of sale may be “much broader” than businesses thought, said DarrowEverett's Chad Gottlieb. In the first major sweep since CCPA’s enactment, “the AG went after the bigger companies, but I can see them definitely taking a more aggressive approach with all sizes of companies in the future,” he said. Bonta’s statement accompanying the Sephora action said his office sent notices about possible violations to corporations across many sectors, noted the same firm’s Ryan Taylor: That could include tech and telecom companies.
Sephora “seemed to be a proactive investigation by the attorney general,” noted Stewart. Most of the initial noncompliance letters that went out under CCPA appeared to stem from consumer complaints, but the sweep that caught the cosmetics company indicates the AG office “went out there checking” websites, Stewart said. On Jan. 1 when CPRA takes effect and the CPPA enters the playing field, “we’ll have two layers of enforcement” and companies won’t be able to cure found violations, she cautioned.
The Sephora action signaled “aggressive enforcement” in California, Szewczyk said. Retailers should be “particularly vigilant right now,” he said, but expect California’s attention to turn to other industries before long. Szewczyk will be watching to see what impact the CPPA has joining enforcement activities next year but thinks it will probably mean more legal actions. With four other states’ privacy laws taking effect over the course of 2023, it’s possible AGs will coordinate efforts like they do on other consumer protection issues, he said. Both Colorado and California laws zero in on analytics used for targeted advertising, for example, the lawyer said.
Additional state laws coming online in 2023 will complicate compliance, said Gottlieb. “It’s going to be very piecemeal initially,” predicted the lawyer, comparing the situation to how states have individually enforced their own unfair and deceptive trade practices laws. A federal law seems “inevitable” given growing public discontent with online tracking, said Gottlieb: If that includes a private right of action as Congress has discussed, businesses will likely have to contend with an “influx of litigation,” not unlike what’s occurred with the Telephone Consumer Protection Act and state mini-TCPAs.