Price of Privacy: Sephora Fined $1.2M for Violating CCPA


How often do you shop online? If you’ve digitally browsed anything from clothing to an apartment in the past few years, you may be familiar with the typical message that pops up when you visit a retail site: We collect your data. Would you like to opt out? Even then, they usually make it easier to accept giving them your data than it is to decline, and tell them NO.  

Now imagine you go through extra effort to say no, just to find out that the website is selling your data (captured in a web tool called ‘cookies’) anyway. That’s exactly what happened to Sephora customers, who discovered their opt-out requests were being ignored and their data sold without thiertheir permission, actually even after expressly saying ‘no’ by opting out, nor any notice as to what was being done with it. 

More often than not you feel ignored, some even feel as if their trust has been violated. Well, if you’re from California, the CCPA (California Consumer Privacy Act) empowers you by requiring the company to ‘listen’ to you.  

Last week, the Attorney General of California reached a settlement with Sephora, a company that operates 2700 stores worldwide. Consumers are getting real-time answers to their questions: What happens to the data that websites collect? Do these privacy settings actually protect my right to decide what happens to my data? 

The Privacy Violation

Under the California Consumer Privacy Act, more commonly known as the CCPA, businesses are required to disclose to customers when they are collecting and/or selling their personal data. That covers the right to know who is gathering and buying their information, what is collected, and why it’s being gathered and sold. It has been compared to the European Union’s GDPR in terms of its wide-reaching protection of consumer data. 

Despite the CCPA going into effect in July 2020, Sephora was found noncompliant with the law’s disclosure requirements two years later. Customers who had chosen to opt out of data collection had that legal right disregarded and their information gathered just like every other visitor. Meanwhile, the store was unclear about what was happening to all of that personally identifying information (PII). 

What that means for consumers: Basically, it means that whether you accepted or rejected their data collection, Sephora was keeping track of users’ Cookies anyway. If you went on their site looking for lipstick, you were sure to be plagued by deals on gloss and ads for blush either way. 

The Settlement

Attorney General Rob Bonta fined the company $1.2M for failing to fix these oversights in the two years since the CCPA went into effect. 

In response, spokespeople from Sephora pointed out that the CCPA broadly defines the “Sale” of data to include tracking cookies, so they could sell you more relevant Sephora products and advertise sales. This is outside of the colloquial understanding of the term, according to the company. 

Nonetheless, in compliance with the settlement, the website now displays a link to actually opt out of data collection. That includes consumers who use Global Privacy Controls (GPC), which refers to setting specific privacy controls which the browser then automatically broadcasts to websites that you visit. This removes the burden of opting out of data collection from your shoulders. 


In addition to honoring opt-out requests through the website, Sephora now also clearly states their privacy and data collection policies when you do so. They are also required to notify any third-party service providers in writing that they must follow CCPA too. They must honor opt-out requests either through the pop-up on their site or with GPC

Still worried? Don’t be. Sephora will update the Attorney General with how they’re working to ensure data privacy for their customers on a regular basis. 

Following the settlement, other businesses that service customers in California are next in the hot seat. The CCPA stipulates that any organization that handles a Californian customer’s PII must accept privacy settings set with GPC, and yes, this applies to companies based outside of the state. Sephora, for instance, has headquarters in Paris. Currently, the CCPA permits 30 days’ notice to become compliant with their regulations, but even that courtesy will disappear in 2023. Starting in January, violators may be immediately subject to fines and other disciplinary action. 

Know your privacy rights! The CCPA applies to California residents, but the rising focus on privacy rights virtually guarantees that more legislation will follow as the cyber-landscape changes and advances. Follow our blog for tips on staying safe as well as the latest news in information security! 


Related Posts