On August 24, 2022, California Attorney General Rob Bonta (“AG”) announced a settlement with Sephora, Inc., resolving allegations that the company violated the California Consumer Privacy Act (“CCPA”). The order includes a permanent injunction as well as a $1.2 million fine. This action stems from a June 2021 law enforcement sweep by the Attorney General of major retailers to determine whether they continue to sell personal information when a consumer reports a deactivation through the Global Privacy Control (“GPC”), a browser extension used to notify companies of their privacy preferences, and which acts as a mechanism that the website can use to indicate that it supports the specification. This action is significant not only because it is the first CCPA enforcement action from the California AG’s office, but also because it addresses the subject of much debate regarding what constitutes a “sale.” personal information under the CCPA.
According to the AG’s complaint, Sephora installed tracking software from third-party companies on its website and in its app so that third parties could monitor consumers while they shopped. In this case, they would track data such as:
“whether a consumer uses a Macbook or a Dell, the brand of eyeliner a consumer puts in their ‘shopping cart’, and even the specific location of the consumer. Some of these third-party companies maintain complete profiles of users who visit Sephora’s website, which the third parties then use for the benefit of Sephora. The third party may provide detailed analytical information about Sephora’s customers and provide it to Sephora, or offer Sephora the ability to purchase online advertisements targeting specific consumers, such as those who have left eyeliner in their cart after leaving the Sephora website. This consumer data is frequently retained by businesses and used for the benefit of other businesses without the consumer’s knowledge or consent.
At the heart of this enforcement action is whether Sephora engaged in the “sale” of personal information, which is broadly defined in the CCPA as sharing or exchanging data “to monetary purposes or other value consideration.” Other similar state laws define sales more strictly as trading for “monetary consideration” only. What constitutes a “valuable consideration” in this context has been much debated since the enactment of the CCPA, with little guidance so far.According to the GA:
“Sephora has allowed third-party companies to access its customers’ online activities in exchange for advertising or analytics services. Sephora knew that these third parties would collect personal information when Sephora installed or allowed the installation of the affected code on its website or in its application. Sephora also knew it would receive discounted or better-priced analytics and other services derived from data about consumers’ online activities, including the ability to target ads to customers who had simply searched for products online. line.
More importantly, but buried in the middle of the complaint against the AG, he says “Sephora also did not have valid service provider contracts with each third party, which is an exception to ‘selling’ under the CCPA.” Therefore, the AG’s complaint states: “[a]All of these transactions were sales under the law.”
When Sephora failed to heal within 30 days, the AG entered into a toll settlement effective September 15, 2021, which led to the filing of the lawsuit in California Superior Court, and ultimately to the final order approving final judgment and permanent injunction on August 24. .
The complaint and final judgment accuse Sephora of several categories of violations, including failure to provide notice of sale, failure to comply with the sales opt-out, failure to provide the “Do Not Sell My Information” link ” to withdraw from sales, and others . But the crux of this case is the statement that Sephora was actually “selling” information as defined by the CCPA. All of the alleged violations – failure to disclose sales information, failure to provide “do not sell” link, failure to respond to GPC signals denying sales information – all stem from the premise that Sephora was, in fact , “selling” the information as defined, for valuable consideration. The complaint suggests that targeted advertising could be a “valuable consideration” benefit and alleges that Sephora “gave companies access to consumers’ personal information in exchange for free or discounted analytics and advertising benefits.” But this advantage would not be relevant if the companies were service providers within the meaning of the CCPA. Under the CCPA (Cal. Civ. Code 1798.140(v)), a service provider is defined as “a…legal entity…that processes information on behalf of a business and to which the business discloses the information. personal information of a consumer for commercial purposes pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using or disclosing the personal information for any purpose other than the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retention, use or disclosure of personal information for commercial purposes other than the provision of the services specified in the contract with the company.(emphasis ours).
I suspect – although it is not clear from the documents – that Sephora may have assumed that it was not selling the information because it had determined that analytics companies fell under the “service provider” exemption. If Sephora’s assumption had been correct, it would not have been required to assume all of the obligations that it has now been found to have breached. However, in the words of the GA, Sephora “did not have valid service provider contracts” in place with the third parties, and therefore did not fall under the service provider exemption. Thus, they were required to respect the obligations associated with the “sales” of personal information, which they did not do.
Lessons learned and open questions
For other companies engaged in targeted advertising and analytics, a cursory reading of this policy might lead to the conclusion that, simply by engaging third-party web analytics providers, they must “sell” data and therefore must comply. to reinforced “sale” obligations. . However, I believe a closer read reveals the real lesson – to ensure that you have sufficient contracts in place with your third-party analytics providers that contain the necessary restrictions required by the CCPA (for example, Cal Civ. Code 1798.140(v); Cal Code Regs. 11.7051) The CPRA adds two nearly identical categories of entities, “contractors” and “service providers”, although their definitions are similar. It also includes new contractual requirements for sharing information with a service provider or contractors. By ensuring that sufficient contractual agreements are in place between companies and third-party analytics companies, companies can more reliably rely on the service provider’s exemption from the definition of “sales”.
However, this raises the question of what loopholes may have existed in the agreements between Sephora and its third-party vendors to deem them insufficient and therefore “sales” under the CCPA, as determined by the AG. The AG’s complaint states, “Sephora also did not have valid service provider contracts with each third party.” But it’s unclear whether the GA means Sephora had no contracts in place at all, or if it did, but those contracts weren’t “valid.”
It seems doubtful that a large, sophisticated company such as Sephora has no contracts in place. Thus, either: (a) formal contracts may have been in place but lack the sufficient terms and conditions required by the CCPA and the regulations; or perhaps (b) the company simply created user accounts pursuant to “clickwrap” terms and conditions which also lacked such sufficient terms and conditions, or the nature of such clickwrap terms and conditions was found to be insufficient to be valid contracts by the GA (but see, for example, Comics vs. Blizzard Entertainment, Inc.., 76 Cal. App.5e 931 (29 March 2022)).
In summary, the first CCPA enforcement action issued by the GA is significant in its own right, but also because it underscores the importance of the increased obligations associated with the sale of personal information to third parties. It is also important because it raises questions about the important and much debated topic of what constitutes “good consideration” and a “sale” under the CCPA. Although we will see how many additional enforcement actions the AG takes during transitions of regulatory and enforcement authority to the CPPA under the CPRA, the AG’s additional interpretations (and their consistency with or deviations from the CPPA) will be informative as to how businesses can comply with issues regarding the sale of personal information.
To consult the press release of the GA, click on here.
To view the AG Complaint, click here.
To view the settlement order, click here.