Legal Anatomy of California’s First CCPA Settlement – Learn California’s Definition of a Sale of Personal Information

Privacy advocates pay close attention. With an assist from Gunderson Dettmer.

Sephora was bad. It failed to inform customers that it was selling its data while claiming on its website that it didn’t sell personal information. Then it ignored the California AG cure period. And for that, it was fined a mere $1.2 million.

The settlement against Sephora arose out of the AG’s “enforcement sweep” of online retailers. Despite the AG notifying Sephora of alleged CCPA violations, Sephora failed to cure those violations within the 30-day cure period currently allowed under the CCPA.

That, all by itself, should have been sufficient grounds to shut the place down. The effects of our “no consequence” law enforcement policies seem to be an overflowing street crime and finding comfort alongside corrupt political miscreants in the corporate world.

The Crime

Specifically, the AG determined that Sephora violated the CCPA by doing the following:

Failing to disclose to consumers that Sephora sold their personal information, despite deploying third-party tracking technologies (including cookies, pixels and software development kits) on its website that monitored consumers while they shopped and automatically sent data about consumers’ online behavior to the third-party companies.

Marketing lessons in here.

In exchange for its shoppers’ personal information, Sephora received analytics data and an opportunity to serve targeted advertisements to the same shopper through the third-party’s advertising network. The enforcement action makes clear that the AG broadly interprets the term “sale” under the CCPA and applies it to “both the trade of personal information for analytics and the trade of personal information for an advertising option.”

Failing to provide consumers with methods to opt out of the sale of their personal information.

Under the CCPA, California consumers have the right to opt out of the sale of their personal information and businesses are required to provide consumers with at least two methods to submit opt-out requests, including via a mandatory “Do Not Sell My Personal Information” link conspicuously posted on its website homepage.

Additionally, an often overlooked regulation requires businesses that collect personal information online to “treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting or other mechanisms that communicate or signal the consumer’s choice to opt out of the sale of their personal information as a valid request.”

In addition to failing to post a “Do Not Sell My Personal Information” link on its website homepage, Sephora failed to respond to or process consumer opt outs via global privacy control signals.

The Consequence

The settlement requires Sephora to:

  • Update its disclosures, including its privacy policy, to state that it sells personal information;
  • Provide consumers with mechanisms to opt out of the sale of their personal information and recognize global privacy control signals;
  • Incorporate CCPA-specific terms in its service provider agreements; and
  • Provide reports to the AG on progress regarding the above requirements.

Takeaways?

First and foremost, with the broadest potential impact, the settlement shines a light on the AG’s expansive reading of a “sale” of personal information under the CCPA.

The CCPA defines a “sale” of personal information as the disclosure of consumer personal information by a business “to another business or a third party for monetary or other valuable consideration.” Because Sephora gave companies access to consumers’ personal information in exchange for free or discounted analytics and advertising benefits, Sephora effectively “sold” the personal information to third-party tracking services. Notably, Sephora did not have valid service provider contracts in place with each third party, which is one exception to a “sale” under the CCPA.

Second, the AG is serious about enforcing businesses’ recognition of global privacy controls, such as the Global Privacy Control (“GPC”).

User-enabled global privacy control is a tool that allows the consumer to signal their opt out request on websites they visit without having to manually request to opt out of the sale of their personal information on each website. While user-enabled global privacy controls typically take the form of a browser plugin, the AG’s office has stated that the regulation is “technology-neutral” and “does not prescribe a particular mechanism or technology.” The AG has singled out the GPC as one mechanism that satisfies the legal requirements and should be recognized. The GPC is a specification that was developed by a broad coalition of stakeholders, including the current executive director of the California Privacy Protection Agency and other web publishers, technology companies, browser vendors, extension developers, academics and civil rights organizations.

What Steps Should Businesses Take?

Given the above, businesses subject to the CCPA should take the following steps to ensure compliance:

Review your use of third-party tools, such as cookies and pixels, to determine whether you “sell” personal information.

If you do not have CCPA service provider language incorporated into the contract with the third-party service provider, sharing of consumers’ personal information with the third party could constitute a “sale” unless another exception applies under the CCPA.

Remember that a “sale” doesn’t necessarily require any money to change hands and your use of common analytics and advertising cookies and other tracking technologies could mean that you “sell” personal information.

Ensure that your privacy policy is up to date with your current data sharing practices. If your review of third-party tools reveals that you engage in a “sale” of personal information, make sure that your privacy policy states that indeed, you “sell” personal information.

Ensure that you provide consumers with other opt out methods if you engage in a “sale” of personal information, including through recognition of global privacy control signals.

Businesses are required to provide consumers with at least two methods to opt out of the sale of their personal information. Remember, businesses that sell personal information must include a “Do Not Sell My Information” link on their homepage, which should allow the consumer to opt out of the sale. Additionally, businesses that collect personal information from consumers online must treat user-enabled privacy controls, such as the GPC, as a valid request to opt out of the sale.

CCPA and CPRA Together

While under the CCPA businesses are entitled to a 30-day cure period after notification of non-compliance, once the California Privacy Rights Act (“CPRA”) comes into effect on January 1, 2023, the cure period becomes discretionary.

There are sufficiently strong potential costs and restrictions associated with both (CCPA and CPRA) acts, a comprehensive review with marketing would be in order for those companies who qualify.

As a reminder, a company that conducts for-profit business in California and meets any of the following falls within the jurisdiction of the CCPA: Has a gross annual revenue of over $25 million; buys, receives or sells the personal information of 50,000 or more California residents, households or devices; or derives 50% or more of their annual revenue from selling California residents’ personal information.

The CPRA applies to any entity that collects consumers’ personal information and:

  • Determines the purpose and means of processing that information,
  • Does business in the state of California, and meets one or more of the following thresholds:
    • 1) Has annual gross revenue in excess of 25 million, adjusted for inflation,
    • 2) Annually buys, sells or shares the personal information of 100,000 or more consumers or households or,
    • 3) Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

The CPRA increases both enforcement and potential penalties businesses may face.

The CPRA transfers authority to pursue violations from the California Attorney General to a new privacy-focused agency, the California Privacy Protection Agency (CalPPA).

When facing enforcement action, businesses will no longer have CCPA’s 30-day cure period before being fined for a violation by CalPPA. In addition, the CPRA introduces an automatic $7,500 fine for a violation involving the personal information of minors. In addition to consumers’ existing private right of action for breaches of unredacted and unencrypted personal information, the CPRA makes a private right of action available if an email address and password or security question and answer that would allow access to the account is breached.

If ever involved in a dispute with either agency, we recommend that you immediately hire a CCAP/CPRA experienced attorney to represent your company and every employee involved with the configuration of rules from the outset.

Read more: