California Attorney General makes announcement of first settlement from enforcement of the California Consumer Privacy Act. The Press Release states:
California Attorney General Rob Bonta today announced a settlement
with Sephora, Inc. (Sephora), resolving allegations that the company violated
the California Consumer Privacy Act (CCPA), California’s first-in-the-nation
landmark privacy law. After conducting an enforcement sweep of
online retailers, the Attorney General alleged that
Sephora failed to disclose to consumers that it was selling their personal
information, that it failed to process user requests to opt out of
sale via user-enabled global privacy controls in violation of the CCPA,
and that it did not cure these violations within the 30-day period currently
allowed by the CCPA. Today's settlement is part of ongoing efforts by
the Attorney General to enforce California's comprehensive consumer
privacy law that allows consumers to tell businesses to stop selling their
personal information to third parties, including those signaled by the Global
Privacy Control (GPC).
“Technologies like the Global Privacy Control are a game
changer for consumers looking to exercise their data privacy rights.
But these rights are meaningless if businesses hide how they are using
their customer's data and ignore requests to opt-out of its sale,” said
Attorney General Bonta. “I hope today’s settlement sends a strong
message to businesses that are still failing to comply with California’s
consumer privacy law. My office is watching, and we will hold you accountable.
It’s been more than two years since the CCPA went into effect, and
businesses’ right to avoid liability by curing their CCPA
violations after they are caught is expiring. There are no more
excuses. Follow the law, do right by consumers, and process opt-out requests
made via user-enabled global privacy controls.”
The settlement with Sephora underscores the
critical rights that consumers have under CCPA to fight commercial
surveillance. Consumers are constantly tracked when they go
online. Many online retailers allow third-party companies to install
tracking software on their website and in their app so that third parties
can monitor consumers as they shop. These third parties track all types of data
– in Sephora’s case, the third parties could create profiles about
consumers by tracking whether a consumer is using a MacBook or a Dell, the
brand of eyeliner or the prenatal vitamins that a consumer puts in their “shopping
cart,” and even a consumer's precise
location. Retailers like Sephora benefit in kind from these
arrangements, which allow them to more effectively target potential customers.
Sephora's arrangement with these companies constituted a
sale of consumer information under the CCPA, and it
triggered certain basic obligations, such as telling consumers that they
are selling their information and allowing consumers to opt-out of the
sale of their information. Sephora did neither.
Today's settlement requires Sephora to pay $1.2 million
in penalties and comply with important injunctive
terms. Specifically, Sephora must:
- Clarify its online disclosures and privacy policy to
include an affirmative representation that it sells data;
- Provide mechanisms for consumers to opt out of the
sale of personal information, including via the Global Privacy
Control;
- Conform its service provider agreements to the CCPA’s
requirements; and
- Provide reports to the Attorney General relating
to its sale of personal information, the status of its service
provider relationships, and its efforts to honor
Global Privacy Control.
As part of his ongoing efforts to enforce CCPA, Attorney
General Bonta also sent notices today to a number of businesses alleging
non-compliance relating to their failure to process consumer opt-out requests
made via user-enabled global privacy controls, like the GPC. A global
privacy control allows consumers to opt out of all online sales in
one fell swoop by broadcasting a "do not sell" signal
across every website they visit, without having to click on an opt-out
link each time. Under the CCPA, businesses must treat opt-out requests
made by user-enabled global privacy controls the same as requests made
by users who have clicked the “Do Not Sell My Personal Information” link.
Businesses that received letters today have 30 days to cure the
alleged violations or face enforcement action from the Attorney
General. The CCPA’s notice and cure provision, which requires businesses
to receive notice and opportunity to cure before they can be held
accountable by the Attorney General for CCPA violations, will
expire on January 1, 2023.
Attorney General Bonta is committed to the robust enforcement
of California's groundbreaking data privacy law. Since July 1, 2020, the
Attorney General has issued notices to a wide array of businesses
alleging noncompliance with the CCPA. Notices to cure have been
issued to major corporations in the tech, healthcare, retail, fitness,
data brokerage, and telecom industries, among others. New examples of
notices to cure are available at oag.ca.gov/ccpa and include:
- An enforcement sweep of businesses operating
loyalty programs that offered financial incentives such as discounts,
free items, or other rewards, in exchange for personal information
without providing consumers with a notice of financial
incentive;
- An online advertising business that's privacy
disclosures were not understandable to the average consumer and did
not include the required information; and
- A data broker whose "Do Not Sell My Personal
Information" link worked only on certain browsers and directed
consumers to a confusing webpage that required several additional steps to
submit CCPA requests.
For more information about the CCPA, visit oag.ca.gov/ccpa. To
report a violation of the CCPA to the Attorney General, consumers can submit a
complaint online at oag.ca.gov/report.
Consumers can also directly notify businesses of potential violations using the Consumer
Privacy Tool.
A copy of the complaint is available here.
A copy of the settlement is available here.
No comments:
Post a Comment