Penalty Amount
$1,200,000
California Attorney General Rob Bonta announced a settlement with Sephora, Inc. resolving allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to disclose it was selling consumers' personal information and failing to process opt-out requests via user-enabled Global Privacy Controls. Sephora agreed to pay $1.2 million in penalties and implement injunctive measures including updating privacy disclosures, enabling opt-out via GPC, conforming service provider agreements to CCPA, and reporting to the AG. The settlement is part of ongoing CCPA enforcement efforts, with the AG also issuing cure notices to other businesses failing to honor GPC opt-out signals.
Sephora must pay $1.2 million in civil penalties. It must update its privacy policy and online disclosures to affirmatively disclose that it sells consumer personal information, implement mechanisms to allow consumers to opt out of data sales including via the Global Privacy Control (GPC), update all service provider agreements to comply with CCPA requirements, and submit regular reports to the California Attorney General regarding its data sale practices, service provider relationships, and GPC compliance efforts.
In-house legal teams should review all service provider, vendor, and partner agreements to ensure they include explicit CCPA-compliant terms requiring downstream parties to honor consumer opt-out requests transmitted via user-enabled Global Privacy Controls (GPC) and manual "Do Not Sell My Personal Information" links equivalently. Customer-facing privacy policies and online disclosures must be audited to include clear, affirmative disclosures of any sale of consumer personal information, with accessible opt-out mechanisms that process both GPC signals and manual requests. Vendor agreements should also be updated to conform to CCPA requirements, including clauses governing data sale practices, service provider obligations, and reporting to the company to enable compliance with regulatory reporting requirements. Additionally, companies should implement internal processes to track and respond to opt-out requests across all platforms, including automated GPC signals, to avoid similar CCPA violations.
Entity
Sephora, Inc.
Also known as: Sephora
Industry
RetailOfficial Press Release
https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement
Complaint (8 23 22 FINAL)
https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf
Filed Judgment.pdf
https://oag.ca.gov/system/files/attachments/press-docs/Filed%20Judgment.pdf.pdf
California Attorney General Enforcement Page
https://oag.ca.gov/privacy/privacy-enforcement-actions
"Sephora, Inc."
"Wednesday, August 24, 2022"
"$1.2 million"
"California Consumer Privacy Act (CCPA)"
"failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA"
"pay $1.2 million in penalties and comply with important injunctive terms"
California Attorney General Rob Bonta, joined by attorneys general from seven other states, filed a lawsuit to block the $6.2 billion merger between Nexstar Media Group and Tegna Inc. The lawsuit alleges the merger violates Section 7 of the Clayton Act by reducing competition in local TV markets, leading to higher prices, less local news, and job losses.
California Attorney General Rob Bonta filed a lawsuit against the U.S. Department of Education to block the expansion of IPEDS data collection requiring colleges to submit race-linked student data. The lawsuit argues the demand is arbitrary, capricious, and burdensome, and could enable costly partisan investigations. A multistate coalition co-led the challenge.
California Attorney General Rob Bonta and a coalition of state attorneys general announced they will continue their antitrust lawsuit against Live Nation/Ticketmaster after the U.S. Department of Justice settled the case. The states aim to hold Live Nation accountable for anticompetitive conduct that harms consumers, artists, and venues in the live music industry.
$376K
The California Privacy Protection Agency (CalPrivacy) settled with Ford Motor Company requiring the company to pay a $375,703 fine and change its practices. Ford violated the CCPA by requiring consumers to complete an email verification step before they could opt-out of the sale and sharing of their personal information collected through digital properties and connected vehicle services. In addition to the fine, Ford must provide easy methods to submit opt-out requests with minimal steps, audit its tracking technologies, and ensure compliance with opt-out preference signals including Global Privacy Control.
California Attorney General Rob Bonta, co-leading a bipartisan coalition of 21 attorneys general and charitable regulators, sent a letter to GoFundMe demanding the platform remove all plagiarized donation web pages for over 1.4 million charities, disclose information about donations, and ensure pages do not outrank official charity sites in search results. The action follows reports that GoFundMe used charities' information without consent and engaged in deceptive solicitations, violating state charitable solicitation and consumer protection laws.
California Attorney General Rob Bonta sent a letter to the U.S. Department of Health and Human Services opposing a proposed rule that would eliminate model card requirements for AI tools in healthcare, warning that such rollbacks could lead to biased and unsafe healthcare decisions by reducing transparency.