What Sephora's $1.2M Settlement Means for CPRA Compliance

• On Aug 24, 2022 the California attorney general (AG) announced a $1.2M settlement with Sephora for alleged violations of CCPA.

• The AG alleged that Sephora was selling data to third parties, not disclosing these sales in their privacy notice, and not honoring requests from consumers to opt-out of the sale of data, including not honoring the Global Privacy Control browser signal specifically.

• This is the first enforcement action we’ve seen under CCPA that's resulted in a monetary settlement, and it offers businesses three key takeaways.

Transcend's General Counsel and Head of Privacy, Brandon Wiebe, and CEO, Ben Brook, hosted a webinar exploring Sephora's $1.2M settlement and what it means for CPRA compliance. You'll find the highlights of the conversation below and can watch the full recording here.

Note: The following text has been edited for readability.

1. Businesses must honor the Global Privacy Control signal to opt consumers out of the sale of data—the same way they’d honor any other valid request for data sale opt out.

2. Use of third party trackers on your website almost always constitutes a sale of data, in the attorney general's view.

3. In this enforcement sweep, the attorney general identified many businesses they viewed as out of compliance—and there’s a lot to take away from that. Many of us, if we go and look at our consumer facing websites, may be technically out of compliance with CCPA in the attorney general’s eyes. 

Let’s dig into that first one, Global Privacy Control, a little more. 

We see from the settlement and complaint documents that when the AG initiated the enforcement sweep, Global Privacy Control signals - technical signals that users can emit from their browser by installing the plugin - were at the core of the attorney general's investigation. 

The AG’s office was going website by website to these consumer brands and checking the network traffic emitted from their sites to see whether it changed when they were using the Global Privacy Control signal and when they weren’t. 

In Sephora’s case, they noticed there was no change. So they did further testing and came to the conclusion that Sephora was not honoring this signal, despite the fact that they were sharing information with third party trackers on the site. 

For background, the CCPA statute itself doesn’t mention anything about universal opt-outs or Global Privacy Control. However, it does give the Attorney General the authority to promulgate regulations designed to further the purposes of CCPA. 

In the initial set of regulations the Attorney General issued regs that said if a business collects personal information from consumers online they must treat user enabled global privacy controls, such as a browser plugin or privacy setting, as a valid CCPA request.

Though that regulation didn’t specifically call out Global Privacy Control as the anointed standard, in 2021 the attorney general tweeted support for Global Privacy Control specifically and updated their FAQ page to indicate they would be treating the GPC signal as a requirement businesses needed to honor. 

And the enforcement action with Sephora makes it clear that none of this was fluff or hyperbole in any way. The attorney general in California views GPC as a requirement and businesses should look at adopting the technology that will allow them to detect and honor downstream global privacy control signals—opting users out of the sale of data in that scenario. 

The second big takeaway is that, to the AG’s office, use of most third party trackers will constitute a sale of data. 

In the Sephora action in particular, the settlement and complaint documents mention that Sephora was allegedly using a “popular analytics provider.” They don’t go into specifics on what that is and some folks have assumed it’s Google Analytics. 

But the theory the attorney general put forward here is that sharing personal information with this type of analytics tracker constituted a sale—because Sephora received an exchange for the personal information in the form of analytics services.

This is a tricky, mushy area in the law because many folks would view this scenario, where you receive a service in exchange for personal information, as a service provider relationship. Where you’re actually obtaining an analytics service from this third party tool on your own behalf and not exchanging data for the analytics’ benefits. 

But the Sephora documents show that the attorney general’s core complaint was that Sephora didn’t have sufficient service provider contracts in place with these third parties. 

The takeaway is that you should look very critically at any third party trackers you’re using. If you’ve done the analysis and think the exchange of information with a third party is truly a service provider relationship, meeting that definition under the law, you need to make sure you’ve checked all the boxes to formalize that relationship—make sure you have service provider agreements in place. 

Moving onto the last big takeaway, and I think this struck a lot of folks, is that the attorney general's enforcement sweep touched on a lot of businesses. Over a hundred businesses were in this initial sweep—all of whom received non-compliance letters from the attorney general’s office. 

And, the attorney general said they’re in the process of sending out another series of letters now. 

But I want to point out that most businesses that got letters didn’t end up in Sephora’s position. All of these businesses were given thirty days to cure their deficiencies, as they’re entitled to do under CCPA. Sephora did not, so that led into further action and ultimately the settlement. 

It’s also worth noting that moving forward next year under CPRA, the 30 day cure period is no longer obligatory. As enforcement moves from the AG’s office to the California Privacy Protection Agency (CPPA), it becomes discretionary. And so it may be the case that the CPPA doesn’t allow businesses a chance to cure these types of deficiencies going forward. 

Also, as one commentator pointed out—it’s very interesting that the first major enforcement action out of CCPA didn’t go after one of the big tech companies. Under GDPR, the data protection authorities in Europe have been focused on big tech and Silicon Valley. Whereas the California attorney general is focused on consumer facing brands that interact with a lot of personal information. 

So if you fall into that category, be aware that the attorney general is monitoring this sort of stuff - especially your public facing website and visible privacy efforts - very closely.  

On their site, the attorney general publishes a list of example enforcement letters they’ve sent out, as well as the steps businesses took to cure those deficiencies. It’s worth using these examples as a roadmap for mitigating risk effectively and buttoning up your privacy compliance. 

To give a bit of background, the Global Privacy Control (GPC) was formed in response to the CCPA requirement for businesses to honor browser based signals as a Do Not Sell opt out choice. It was created by folks in the privacy community including Robin Berjon, Sebastian Zimmeck, and people from places like DuckDuckGo and the Brave Browser. 

In practice, GPC is a browser specification that creates a signal for any user visiting a website. And that website is then required to detect that signal and honor it as a Do Not Sell or Share request.

So the easy part is actually detecting GPC—it’s a relatively simple implementation on your front end code. There’s really only a couple lines to see whether or not a user has GPC enabled and that spec is available at globalprivacycontrol.org.

The harder part is honoring that signal as a Do Not Sell or Share request—implementing it downstream to actually change the way you’re collecting and using this individual's data. 

These processes, which constitute selling or sharing, are almost always fully automated pipelines where data is just being collected in an automated fashion. Meaning that to implement Do Not Sell or Share and honor it, you have to alter these automated pipelines. 

For a lot of businesses this represents a fairly large project of overhauling their ad tech integrations, as well as integrations with vendors that are collecting data from their site. 

And day-by-day, this is getting more complex because there’s been a rise in special APIs with these ad tech vendors. For example, Google restricted data processing, Facebook Limited Data Use (LDU) parameters, Youtube Privacy Enhanced Mode—all of these require modifying the events you’re collecting on individuals on the client side before they get emitted to third parties.

These special APIs were specifically called out as an implementation requirement in the Sephora settlement. But with these new APIs changing every day, it’s getting increasingly complex in terms of technical implementation. 

For the Transcend Consent customers in the audience today, just know that you’re already covered here. Transcend Consent has always detected GPC and treats it as an opt out. It’s also integrated with these special APIs like Google restricted data processing, Facebook LDU, and more.

For anyone’s who’s not yet using Transcend Consent we’d love to talk to you and see if there’s a fit. But if not, the way to approach this problem is by identifying each of the third parties you're sending data to, those that don’t meet the service provider definition under the AG’s interpretation).

Then you have to modify the way your ad tech stack works. There’s more to peel back there with your engineering team, but if anybody’s looking to get a little bit deeper with a consultation we’re more than happy to follow up. 

There’s a few components there. The first big one is that a lot of these ad tech vendors have special APIs where you actually have to modify events. So it’s actually better to think of this problem as more of a data flow rather than just a dropping of cookies. 

At Transcend we think of cookies as one tiny component of the tracking stack, but generalize all of it under the question—what data is being emitted from the user's device to any of your systems or third parties? And how do you actually regulate those data flows?

We approach the problem by essentially putting a firewall between the user's browser and all of these third party destinations, such that any time data is emitted it has to pass through a rule engine in this firewall. 

These special APIs are a fundamentally different problem than cookies. It’s really about all the data that’s being collected and processed, so if you’re only looking at cookies you’re only seeing a very small piece of the pie in terms of what you’re collecting. 

If your organization has been impacted by the California Privacy Rights Act or other consumer privacy laws, Transcend can help you ensure compliance.

Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.