More than two years after enforcement of the California Consumer Privacy Act (CCPA) began, the California Attorney General has made its first enforcement action under the law, a $1.2 million settlement with retailer Sephora USA, Inc.


Sephora was accused of violating the CCPA’s “Do Not Sell” provisions by not informing consumers about the sale of their data and failing to honor sale opt-outs through Global Privacy Control (GPC) signals. In addition to a monetary penalty, Sephora made a two-year agreement with the AG to honor GPC signals. 


The settlement could be a sign that the AG plans to be more aggressive in enforcing the CCPA with respect to businesses that share or sell personal information to third parties for targeted advertising purposes. At a minimum, businesses that operate in California and utilize third party tracking cookies should revisit their privacy policy and have a mechanism for honoring opt-out requests made via browser-based GPCs. 






A closer look at the Sephora case 


Enforcement of the CCPA—the country’s first comprehensive data privacy law—began on July 1, 2020. Since then, the California AG has published notices of alleged noncompliance. Once a company has received such a notice, it has 30 days to cure (or fix) the issue in question. 


The CCPA requires covered businesses that sell personal information to offer two or more ways for consumers to opt-out of this sales practice. On July 15, 2021, the AG’s office made a small addition to its CCPA FAQ page stating that one way businesses can meet this requirement is with use of the Global Privacy Control (GPC)—a universal opt-out signal sent through a browser to every website a user visits. 


At the time, IAPP said this update “could be a game-changer.” The Sephora case confirms they were right.


In a settlement with Sephora announced on August 24, 2022 Attorney General Rob Bonta said that Sephora: 


  • Failed to notify consumers that it was selling their personal information

  • Failed to process consumer “Do Not Sell My Personal Information” opt-out requests made via the GPC; and

  • Did not address these alleged violations within the 30-day cure period. 


These allegations are detailed in the complaint, which describes how Sephora installs third-party tracking cookies on its website and app. These cookies collect consumer data and provide detailed analytics information that Sephora uses for targeted advertising. 


The complaint notes that in June 2021, the AG “commenced an enforcement sweep of large retailers” to determine whether they honored consumer “do not sell” opt-out signals sent via the GPC. The AG concluded that activating the GPC—found on internet browsers that include Brave, Duck Duck Go, and Mozilla Firefox—did not stop the flow of information from Sephora’s website to advertising and analytics providers. 


The AG says that it notified Sephora of potential CCPA violations, but the retailer did not take sufficient steps to address them. As a result, the AG took legal action against Sephora on behalf of California consumers. 


Breaking Down the Sephora Settlement


California AG Rob Bonta and Sephora agreed to a settlement that will see the retailer pay $1.2 million in fines. The settlement also requires Sephora to comply with the following injunctive terms:


  • Make clear in its online disclosures and privacy policy that it sells personal data to third parties

  • Provide proper consumer opt-out mechanisms for the sale of personal information; 

  • Update its service provider agreements to comply with CCPA requirements; and 

  • Report to the AG for two years on its efforts to process consumer opt-out requests, including requests made using the GPC.

In a press release, Bonta declared:


“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” (...)


My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”


- Rob Bonta, California Attorney General


CCPA data privacy implications of the Sephora settlement 


It’s probably not a coincidence that the AG updated its CCPA enforcement case examples on the same day it announced the Sephora settlement. In fact, the example listed on the top of the page appears to have originated from the same “enforcement sweep” that Sephora got caught up in, and also relates to sale opt-out provisions and the GPC. 


Whether or not the AG was intending to send a message with the timing of these releases, the example situations are a window into some of the issues it has been enforcing. They include financial incentive notices, consumer right notices and privacy policies, requests to know and requests to delete, and opt-out processes. 


Future of Privacy Forum Senior Counsel Stacy Gray took to Twitter to analyze the settlement, calling it a “strategic choice” that emphasizes the importance of the GPC as a universal opt-out. However, she notes that the AG failed to clarify how the GPC signal was communicated (e.g., through the Brave browser, the PrivacyBadger browser extension, etc.). She adds that California’s statutory authority on global opt-outs like the GPC could be undercut by the forthcoming California Privacy Rights Act (CPRA), which is scheduled to take effect January 1, 2023. 


What we know about the CPRA so far


It remains unclear if the CPRA will require businesses to honor global privacy controls. But California has sent its strongest-ever signal that, as long as the CCPA remains the law of the land, companies must accept global opt-outs. Colorado and Connecticut privacy laws also authorize universal opt-out mechanisms. 


A second issue raised by the settlement is the CCPA’s broad definition of “sale.” The AG’s complaint states that Sephora did not inform consumers that it sells their personal information—but this could be because the company did not consider its arrangement with third parties to constitute a sale. 


The settlement makes clear that “if you get a commercial benefit from sharing data, that's a sale under CCPA," according to Justin Brookman, head of tech policy for Consumer Reports. In this case, when Sephora made consumer data available to third parties, and received the benefit of ads targeting specific consumers, this was considered “selling” personal information and thus triggered CCPA legal obligations (i.e., informing consumers that it is selling their information and providing at least two opt-out mechanisms). 


Preparing for a future without cookies


Taking a broader view of the Sephora settlement, it is yet another sign that marketers should be reducing their reliance on third-party data. With or without universal opt-out mechanisms, the cookieless future is well underway. A growing list of browsers are abandoning tracking cookies and ushering in a new marketing era. Google’s Chrome, the world’s leading browser, will end the use of third-party cookies by the end of 2024


Future-proofing your digital marketing strategy means ditching third-party data and adopting a zero-party data strategy that places consumer consent front and center. 


A Consent Management Platform from Didomi lets you collect user consent and preferences globally, across all domains and devices. Find out how you can generate new business opportunities in a privacy-focused world: 


  Request a demo