California AG Issues First Fine for CCPA Violations
Privacy In Focus®
The California Attorney General (AG) made headlines in August by issuing a $1.2 million fine against online retailer Sephora to resolve allegations that the business violated the California Consumer Privacy Act (CCPA). This action represented a major shift in AG enforcement efforts, which had previously focused on issuing warning letters under the notice and cure provisions of the CCPA. In announcing the enforcement action, the California AG stated: “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”
The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling consumer data, not including a “do not sell my personal information” opt-out button on its website, and not honoring Global Privacy Control (GPC) signals. Sephora was provided a 30-day cure period but allegedly did not bring its practices into compliance during that time.
This enforcement action is notable for several reasons. First, it arose from the AG’s compliance sweep of online retailers, illustrating one of the multiple channels the AG has available to pursue investigations. Of note, AG investigations to date have frequently been triggered by consumer complaints. Additionally, this enforcement action is a clear sign that businesses must carefully evaluate whether their data sharing practices are a “sale” under the CCPA. The CCPA’s definition of sale is broad and captures significantly more activities than a straightforward transaction. Finally, the AG clearly signaled in this action that businesses must honor Global Privacy Control signals. In addressing this element of the settlement, the AG stated: “[t]echnologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses … ignore requests to opt-out of its sale.” Failure to do so will be treated as a CCPA violation.
In the countdown to implementation of the California Consumer Rights Act (CPRA) on January 1, 2023, the California AG’s office has not become complacent in its enforcement of the CCPA. Under the CPRA, the AG retains enforcement authority along with the newly created California Privacy Protection Agency (CPPA). Businesses should pay careful attention to these enforcement efforts and evaluate their data collection and use practices to ensure they comply.
© 2022 Wiley Rein LLP