The Attorney General of California has fined a retailer $1.2 million to resolve allegations it violated the California Consumer Privacy Act, while also announcing that other businesses are being notified of not complying with the CCPA, specifically failing to process consumer opt-out requests made via user-enabled global privacy controls.
A copy of the settlement in the case against Sephora Inc. can be accessed by clicking here.
Global Privacy Control is a browser setting that can be used to tell businesses and owners of websites that are visited how the user wants his or her data to be treated. Users can use technology like GPC to prevent websites from tracking you or selling your data.
In filing a complaint against Sephora, the California AG accused it of installing tracking software on consumers’ devices and allowed third parties to monitor those consumers as they shopped. The arrangement constituted a sale of information under the CCPA and triggered Sephora to make certain disclosures, including notifying consumers of their option to opt-out of the sale of their information, which the company did not do.
Under the terms of the settlement, the company will pay $1.2 million in fines and penalties and made other changes to its operations, including:
- Clarifying its online disclosures and privacy policy to include an affirmative representation that it sells data;
- Providing mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control;
- Conforming its service provider agreements to the CCPA’s requirements; and
- Providing reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.
The other businesses notified by the AG’s office that they were not complying with the opt-out requests made via GPC have 30 days to cure the alleged violations or face enforcement action from the Attorney General.