The People v. Sephora: How the First California Consumer Privacy Act Enforcement Decision Could Influence Your Advertising Activities

Law 1-Day Conference attendees: Scroll down for CLE materials

The California Office of the Attorney General (OAG) entered into a settlement agreement with Sephora following an investigation into Sephora's consumer privacy practices, including its collection, use, and sale of consumers' online activities and other personal information. Sephora agreed to pay over $1 million in penalties and submitted to injunctive relief, including ongoing supervision by the OAG.

This program explores the marketing techniques that captured the OAG's attention and the broad impact of the California Consumer Privacy Act on the collection, use, and sale of customer information across the country. Experts gave an overview of lessons learned from the OAG enforcement action and an understanding of how your company may need to adapt its marketing methods to comply with the CCPA and avoid the OAG's scrutiny now that the CCPA's notice and cure provisions have expired.

Key Takeaways

CCPA was signed into law in 2018 and effective date of Jan 1, 2020. This created new privacy rights for Californians and new data protection obligations for businesses. The new rights and obligations are designed to give consumers more control of the personal information businesses collect and share.

Allegations were filed against Sephora by the California Attorney General (AG) because the company not disclose that it sold data. Per the "Final Judgment and Permanent Injunction," the document summarized the situation:

"Sephora did not do this. Sephora did not tell consumers that it sold their personal information; instead, Sephora did the opposite, telling California consumers on its website that 'we do not sell personal information.' Sephora also did not provide consumers with an easy-to find 'Do Not Sell My Personal Information' link, either on its webpage or in its app. To help consumers who want to easily opt-out, the CCPA requires that a business take steps to ensure that any user who has 'user-enabled global privacy controls' is treated the same as users who have clicked the 'Do Not Sell My Personal Information' link. This requirement was intended to spur innovation and encourage the development of technologies that would allow consumers to universally opt-out of all online sales in one fell swoop, giving consumers the agency and ability to stop their data from being sold over and over again."

Insights into the AG's allegations and findings include:

  • Provided clarity around what constitutes a sale under the CCPA.
  • CCPA defines "sale" to include any transfer of personal information to a third party for monetary or valuable consideration. For instance, Sephora shared customer information with advertising networks, business partners and data analytics providers in exchange for advertising and analytics. While there was no allegation of a monetary exchange, the California AG found that this constituted a sale because Sephora was receiving free or discounted advertising and analytics in return for access.

Key takeaways for businesses and marketers:

  • Reinforces need for strong privacy program.
  • Illustrates need clear privacy statements and policies and knowledge to what is collected and who has access.
  • Must effectively operationalize privacy requirements.
  • Ensure opt-out features work appropriately.
  • Ensure appropriate stakeholders have visibility into vendor agreements.
  • Need to maintain close communication with privacy counsel and IT/technology teams look at laws regarding cookies and pixels.

Action Steps

Best practices for companies in regard to privacy compliance:

  • Engage in the planning phase.
  • Engage upon the implementation of new technologies.
  • Engage before entering into agreements with vendors, partners, or affiliates to share information.
  • Clarify the goal of the specific marketing campaign at the outset.
  • Understand the specific types of information needed for success.

Further, it's key to define a compliancy program. Per Lynn Parker Dupree, Partner at Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, in "A Brief Summary of the People of the State of California v. Sephora USA, Inc.," the document explains the outcome:

"...the settlement included a payment of $1.2 million to be remitted into the Consumer Privacy Fund no later than 30 days after the effective date of the settlement. Ultimately, companies may benefit from implementing a version of the CCPA compliance program outlined in the settlement because understanding the nature of each relationship with third-party entities may prove vital in staying compliant with the CCPA."

CLE Materials


"The People v. Sephora: How the First California Consumer Privacy Act Enforcement Decision Could Influence Your Advertising Activities." Lynn Parker Dupree, Partner at Finnegan, Henderson, Farabow, Garrett & Dunner, LLP; Rebecca MacVittie, general counsel at NewStore; Lindsay Lennon Vogel, lead U.S. counsel at Bumble; Margaret Esquenet, partner at Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. 2023 ANA Law 1-Day Conference, 4/26/23.

You must be logged in to submit a comment.