Sephora Settles with California AG for $1.2M for Alleged CCPA Violations Relating to Third-Party Cookies and User-Enabled Opt-Out Signals

On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora for violations of the California Consumer Privacy Act (CCPA). The action places online consumer tracking, analytics and advertising squarely in the regulatory crosshairs. “Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop,” the AG alleged, “. . . [and] when a company like Sephora utilizes third-party tracking technology without alerting consumers and giving them the opportunity to control their data, they deprive consumers of the ability to limit the proliferation of their data on the web.”

Specifically, the AG claimed that Sephora (1) failed to disclose to consumers that it was “selling” personal information by making personal information available to third parties via third-party website cookies; (2) failed to comply with associated requirements, such as posting a “Do Not Sell My Personal Information” link on its webpage; and (3) failed to honor user-enabled opt-out preference signals, such as the Global Privacy Control (GPC). Further, the AG alleged that Sephora failed to cure its violations within the CCPA’s prescribed thirty-day cure period following receipt of the AG’s violation notice.

Sephora ultimately settled with the AG, agreeing to pay $1.2M and comply with a consent decree requiring Sephora to disclose that it sells personal information, honor user-enabled opt-out requests, conduct regular reviews of its websites and apps to monitor its disclosures of personal information via those channels, and file reports with the AG regarding the same for the next few years.

1. Are disclosures of personal information via third-party cookies “sales” under the CCPA?

Maybe. CCPA Section 1798.140(t) defines “sell” to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.” But — like Sephora, many businesses use third-party website cookies for various purposes, including advertising, web analytics, performance, social media, and more. Are all these relationships “sales” of data?

The Sephora complaint and settlement suggest that, unless each cookie fits within an exemption to the definition of “sale,” then the answer to that question may be “Yes.” Under the CCPA and amendments thereto enacted by the California Privacy Rights Act (CPRA), there are two relevant exceptions to what constitutes a “sale” — the “service provider” exception and the “directed disclosure” exception. In the Sephora complaint and settlement, only the “service provider” exception is discussed. 

A business does not sell personal information when it discloses information to a “service provider.” Under the CCPA and CPRA, a service provider is an entity that processes personal information on behalf of a business. But there’s a catch — to be a service provider, an entity must have a written contract with the business prohibiting the entity from using personal information it receives or collects in the provision of services to the business for its own purposes. In the Sephora complaint and settlement, the AG focused on these contracts — alleging that Sephora did not have them in place and requiring them for any new service provider relationship.

But what about the “directed disclosure” exemption? Under this exemption, a business does not sell personal information when a consumer uses or directs the business to intentionally disclose their personal information. Many businesses have implemented cookie banners on their websites to rely on this “directed disclosure” exception. When the consumer clicks “accept” on the business’s cookie banner, so the argument goes, the consumer “directs” the business to disclose their personal information to the site’s third-party cookie providers — thus satisfying the exemption.

Notably, the Sephora complaint and final judgment say nothing about cookie banners or the directed disclosure exception. Thus, there still appears to be a valid argument that disclosures to third-party cookie hosts after a consumer clicks “Accept” on a cookie banner are not “sales” under the CCPA/CPRA. That said, it’s not clear that that argument aligns with the California AG’s or the California Privacy Protection Agency’s (CPPA) view of sales involving online tracking technologies. Notably, in the Sephora final judgment, the AG gave Sephora three options with regard to disclosures of personal information to entities that are not Sephora’s service providers — (1) comply with California Civil Code §§ 1798.120 and 1798.135 (treating such disclosures as “sales”); (2) enter into or amend its contract with the entity to make it a service provider; or (3) “cease making available personal information to that entity.” Conspicuously absent from that list is the option to post a cookie banner to utilize the directed disclosure exception from the definition of “sale.”

The compliance requirements for a business that sells data are not trivial. If a business sells personal information, it must disclose to consumers that it does so in its online privacy policy and any other California-specific description of consumer rights. The business must also allow consumers to opt-out by posting a “Do Not Sell My Personal Information” link on its website and “treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism” as valid opt-out requests. See Cal. Civ. Code § 1798.135(a); 11 C.C.R. § 7026(c); see also Cal. Civ. Code § 1798.135(a), (b) (as amended by the CPRA, effective January 1, 2023) (requiring a business that sells or shares personal information to post a “Do Not Sell or Share My Personal Information” link on its website or honor opt-out requests received via “an opt-out preference signal sent” by the consumer via a “platform, technology, or mechanism”).

2. What about Sephora’s alleged failure to comply with the Global Privacy Control?

The AG’s complaint describes recognition of the Global Privacy Control (GPC) as a CCPA requirement for businesses that sell personal information that allows consumers to “universally opt-out of all online sales in one fell swoop.” “To help consumers who want to easily opt-out, the CCPA requires that a business take steps to ensure that any user who has ‘user-enabled global privacy controls’ is treated the same as users who have clicked the ‘Do Not Sell My Personal Information’ link,” the complaint explains, “. . . [w]ith a universal opt-out, consumers can broadcast a ‘do-not-sell’ signal across every website they visit, without having to click each time on an opt-out link.”

The AG’s focus on the GPC appears to have begun after the AG conducted an enforcement sweep to identify businesses whose websites did not comply with GPC and similar user-enabled opt-out signals. As the complaint alleges, “Sephora’s website was not configured to detect or process any global privacy control signals,” meaning that Sephora “wholly disregarded consumers who communicated to the company, via a global opt-out signal, that Sephora should not sell their personal information.” As a result, the Sephora settlement requires Sephora to “process consumer requests to opt-out signaled via the Global Privacy Control or the ‘GPC.’”

The CCPA regulations require businesses that collect personal information from consumers online to “treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to [CCPA] section 1798.120 for that browser or device or, if known, for the consumer.” See 11 C.C.R. § 7026(c)(2). The CPRA amendments to the CCPA further provide that to the extent businesses must comply with user-enabled opt-out signals, they must recognize those “sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications [to be detailed in regulations].” Cal. Civ. Code § 1798.135(b). And the CPPA’s draft CPRA regulations provide that businesses must comply with opt-out preference signals that are “in a format commonly used and recognized by businesses,” such as “an HTTP header field.” The only problem is that there presently are no “commonly used and recognized” user-enabled opt-out methods. Businesses are required to honor opt-out preference signals under the existing CCPA regulations, but it’s not clear which signals they must recognize.

The Global Privacy Control is only one user-enabled opt-out method, and it isn’t widely available. According to its website, the GPC is compatible with only seven Internet browsers that collectively account for a small percentage of internet traffic — (1) Abine; (2) Brave; (3) Disconnect; (4) DuckDuckGo; (5) Firefox; (6) OptMeowt; and (7) Privacy Badger. Conspicuously absent from that list are Google Chrome, Microsoft Edge, Apple Safari and many others. And although the GPC touts millions of consumer users, only a handful of companies appear to honor its signals on their sites.

3. What does the Sephora case mean for future CCPA/CPRA enforcement?

The California AG’s message in the Sephora case is clear. Consumers don’t like online tracking and want meaningful ways to convey their privacy choices to businesses when they use the Internet. More enforcement actions are likely, particularly after the 30-day cure provision in the CCPA expires on January 1, 2023. In the meantime, businesses should review and assess their usage of website cookies to ensure that they have appropriate service provider contracts in place with cookie providers and/or have otherwise appropriately assessed their risks of non-compliance. Businesses should also likely ensure compliance with the GPC and other user-enabled out-opt preference signals, update their privacy policies as needed and assess whether their websites otherwise comply with CCPA/CPRA requirements.