International companies doing business in the United States must comply with California’s data privacy laws or suffer large fines. California’s first enforcement action under the California Consumer Privacy Act (“CCPA”)[i] has resulted in a settlement of $1.2 million and an agreement to immediately correct the privacy violations. As part of an ongoing enforcement sweep of large online retailers, the California Attorney General brought the lawsuit against Sephora Inc., one of the world’s largest cosmetics retailers. The lawsuit[ii] claims that the company sold customer information without proper notice, in violation of California’s landmark consumer privacy law, which was originally passed in 2018.
What did the cosmetics retailer do to earn the wrath of the California Attorney General? It permitted third-party companies to install tracking software that enabled them to build detailed consumer profiles to better target customers. The tracking software on the cosmetics retailer’s website monitored consumers as they shopped, and tracked the data, including whether the consumer was using a MacBook or a Dell, and the brand of makeup that a consumer put in their shopping cart. The prosecution claimed that the arrangement was considered a sale of personal information under the CPPA. According to the underlying lawsuit, on its website, the cosmetics retailer promised: “we do not sell personal information.” Furthermore, Sephora failed to tell customers that it was selling their personal information, failed to allow customers to opt out of that sale, and even after the company was notified of the violations, it didn’t fix the problem within thirty days as required by California law.
While insisting it did nothing wrong, Sephora questioned the definition of “sale” under the California law, saying it may bar the company’s internal use of software cookies to offer customers more “relevant products”[iii]. This enforcement action against the cosmetics retailer indicates the broad use of the term “sale” under the CCPA to now include relationships where the data controller is retaining vendors to provide services to it.
Concerning is the settlement’s reliance on the GPC. The principle of the GPC is that consumers should be able to preset privacy preferences just once, rather than doing so on each website. While this is a laudable goal, there is no mention of requiring GPC anywhere in the statute or the existing regulations governing its interpretation.
While Sephora is the first company to be fined, it won’t be the last. The California Attorney General continues to be aggressive in enforcement efforts as evidenced by it sending out more than a dozen new warning notices the very week the Sephora settlement was published. Altogether, the state’s Attorney General has notified more than one hundred companies that they were out of compliance. Unlike the cosmetics retailer, many of these companies responded by changing their websites to comply with state law within thirty days of receiving a notice[v]. However, this thirty-day grace period for companies violating the law ends next year, when companies will be required to comply without warning.
Clearly, the California Attorney General is committed to the robust enforcement of the state’s data privacy law. Since 1 July, 2020, the Attorney General has issued notices to a wide array of businesses alleging noncompliance with the CCPA. Notices to cure have been issued to major corporations in fields as broad as the tech, healthcare, retail, fitness, data brokerage, and telecom industries, among others. Examples of notices to cure are available at oag.ca.gov/ccpa, and include:
Enforcements against businesses operating loyalty programs that offered financial incentives containing discounts, free items, or other rewards in exchange for personal information without providing consumers with a notice of financial incentive;
An online advertising business where its privacy disclosures were not understandable to the average consumer and omitted the required information; and
A data broker whose “Do Not Sell My Personal Information” link worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests.
While many types of businesses are being targeted for enforcement, some California privacy attorneys question whether the selection of Sephora for prosecution may potentially be linked to the divisive war being waged in America over women’s reproductive rights. According to the Attorney General’s lawsuit, in addition to selling cosmetics, Sephora also sells prenatal vitamins. Such pills are a data point that can be used to infer conclusions about a woman’s pregnancy.
Is it overreaching to conclude that the sale of prenatal vitamins without privacy law compliance may be one reason Sephora was targeted for enforcement? It is yet unknown whether pharmacies and other health care providers websites are similarly being targeted by the state Attorney General for privacy violations. Because of this political battle, any company doing business in California must pay particular attention to products or services which can be even tangentially linked to women’s reproductive rights, less the company become an unintentional pawn in this divide over reproductive rights and privacy.
When the U.S. Supreme Court overturned the right to an abortion guaranteed by Roe v. Wade, it set off a divisive battle between the states. Several conservative states are seeking to prevent their female residents from obtaining abortions in other states where the procedures are readily accessible, such as California. Prosecutors in these anti-abortion states have begun to use digital data to prosecute such actions. Data revealing the purchase of prenatal vitamins could potentially be flagged to assist more conservative states in identifying pregnant consumers.
Many more robust privacy provisions will also come in 2023, when the CCPA is replaced with even stronger regulations in the expanded California Privacy Rights Act (“CPRA”)[vi]. To allow for more aggressive prosecution of privacy violations, the California Attorney General’s office will begin sharing enforcement responsibility with a new California Privacy Protection Agency. This new Agency will also have the power to create and to enforce regulations consistent with the CPRA. Such draft regulations are currently out for public comment before being finalized.
Privacy laws are in flux in the United States. There is no federal constitutional right to privacy, and no cohesive national statutes that guarantee such a right. However, after the recent U.S. Supreme Court privacy decision overturning the right to an abortion in Dobbs v. Jackson Women’s Health Organization et al, (decided 24 June, 2022), many Americans have called for national privacy standards to be codified. After years of failed attempts to pass comprehensive federal online privacy rules, a bipartisan group of congressional representatives introduced a new privacy bill in June 2022. The American Data Privacy Protection Act seeks to limit data collection and allow for enforcement by the Federal Trade Commission, although, as it is currently written, it is more limited than California’s privacy laws.
Such weaker federal legislation could potentially replace (or “preempt”) California’s protections with weaker protections. California officials want to make sure the state’s strict privacy laws aren’t undermined as the federal government considers what are likely to be less stringent nationwide standards. However, California’s law won’t be affected so long as Congress makes federal standards a “floor” with minimum privacy standards, instead of a “ceiling,” which would preempt state privacy laws. The U.S. Federal Trade Commission also recently voiced its intent to create new privacy rules.
Stay tuned. Whether cohesive federal privacy laws will be enacted, how strong such laws will be, and whether such federal standards will preempt California’s stricter privacy laws, all may depend in large part on the results of the upcoming November 2022 mid-term elections and which political party wins control over the U.S. Senate and House of Representatives. As these changes may take time to implement (regardless of the political wording or intent) – for now, at least – following California’s strict data privacy standards can save businesses a headache, and possibly, a trip to the bank.
Janice F. Mulligan, Esq.
Lexing Member for USA
[i] California Consumer Privacy Act of 2018, Civil Code § §1798.100 – 1798.199.100
[ii] California v Sephora USA, Inc. (S.F. Superior Court, filed August 23, 2022).
[iii] Sephora 1st Company AG to Sanction Under Privacy Law By MALCOLM MACLACHLAN Los Angeles Daily Journal August 25, 2022.
[iv] The GPC allows consumers to opt out of all online sales in one fell swoop by broadcasting a “do not sell” signal across every website they visit, without having to click on an opt-out link each time. Under the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link.
[v] Cosmetics giant Sephora settles customer data privacy suit by DON THOMPSON Associated Press Aug 24, 2022
[vi] California Privacy Rights Act of 2020, Civil Code § §1798.100, et seq. (as amended)