CCPA Enforcement In Action But Questions Abound

CCPA Enforcement In Action But Questions Abound

The passage of the California Consumer Privacy Act (CCPA) in 2018 (and effectual January 2020) and now significantly amended and expanded by the California Privacy Rights Act (CPRA) set the stage for other comprehensive state privacy laws. Following suit, Colorado, Connecticut, Virginia, and Utah now have relatively similar comprehensive privacy laws.

With comprehensive privacy laws like the CCPA and GDPR, a key component of the laws is the possibility for enforcement action for non-compliance. In August 2022, the theoretical has become actual, with California’s Attorney General, Rob Bonta, announcing a $1.2 million penalty against the French makeup retailer Sephora to send a “strong message” to companies that may not be in compliance with the law.

The enforcement action against Sephora resulted from a previous “investigative sweep” of the market, which resulted in notices of non-compliance to a wide swath of companies in varying sectors, including for lack of disclosures relating to “financial incentives.”

The action against Sephora alleged that the retailer “failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the thirty (30) day period currently allowed by the CCPA.”

Enforcement Specifics

In addition to Sephora having to pay a $1.2 million penalty, the settlement (of note though is that the matter was not adjudicated but rather settled) included “injunctive terms, requiring Sephora to:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control
  • Conform its service provider agreements to the CCPA’s requirements; and 
  • Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control. 

Questions Abound

The Global Privacy Control

The first enforcement action raises many questions, perhaps most notably concerning the Global Privacy Control (GPC). After all, the GPC was not a requirement in the text of the CCPA; instead, it was included in the attorney general’s CCPA FAQ page in 2021, which stated the GPC “must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” The GPC has been a widely discussed potential tool that consumers can use to make seamless choices relating to the processing of their personal information, but there is limited adoption, so mandating the GPC puts a business in a challenging position. Eric Goldman  a law professor at Santa Clara University School of Law, noted to the IAPP’s “The Privacy Advisor”:

The enforcement action shows the morass” of GPC and how the attorney general’s office and the California Department of Justice as a whole have “fetishized” the mechanism as a core component to consumer protection despite the fact “most consumers and businesses are not even aware of it.”

Eric Goldman

The Definition Of Sale

Another curious component of the action concerns the attorney general’s interpretation of a “sale” under the CCPA. The position taken in the complaint is that a sale occurs if a business gets a benefit in the form of “free analytics which is a departure from the common understanding of “a sale.”

Section 1798.140, subdivision (t), broadly defines sales as the exchange of personal information for anything of value. Sephora’s relationships with these third parties met that definition, because Sephora gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits.

Rob Bonta

Steps To Take In Light Of The Enforcement Action

In light of the enforcement action, there are a number of steps businesses should take, and include the following:

  • It is essential that businesses have service provider agreements to have additional standing to make the case that the exchange of data is not a sale. In vendor scenarios such as with analytics services, utilize options that allow for “restricted data processing” that limit personal information being used by the vendor for purposes other than providing the agreed-upon services.
  • Suppose a business does “sell” personal information. In that case, it should note that there is a sale in its privacy policy, provide a “do not sell my personal information” link, and comply with GPC signals.

Additional Examples Of Non-Compliance

As part of the announcement, the Attorney General provided additional examples of non-compliance, including not having a “notice of financial incentive,” not recognizing the Global Privacy Control signal, providing incorrect or confusing privacy policy disclosures, and failing to process consumer requests.

The AG Says, “The Kid Gloves Are Coming Off”

At the online press conference concerning the enforcement action, AG Rob Bonta stated that “the kid gloves are coming off.” In line with this ramping up of enforcement, additional warnings of non-compliance were sent out by the AG. The message seems to be permeating, with reports of more brands and marketers taking action to ensure compliance in light of the enforcement action against Sephora.