OAKLAND, Calif. (KSEE/KGPE) – On Wednesday, Attorney General Rob Bonta announced a settlement with makeup store Sephora, Inc. following allegations that the company did not follow the rules stated in the California Consumer Privacy Act (CCPA).

Bonta alleged that Sephora failed to let the customers know that it was selling their personal information, that it failed to process requests to opt-out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not fix those violations within the 30 day period allowed by the CCPA.

This action is part of Attorney Bonta’s efforts to enforce California’s comprehensive consumer privacy law, which allows consumers to tell businesses to stop selling their personal information to third parties. including those signaled by the Global Privacy Control (GPC).

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Attorney General Rob Bonta

Officials say the settlement with Sephora highlights the critical rights of consumers under the CCPA to fight commercial surveillance because they are constantly tracked when they go online.

The official report says that many online retailers allow third parties to install tracking software on their websites and in their mobile apps so these third parties can monitor consumers as they shop.

Experts say these third parties track all types of data, such as tracking the brand of eyeliner or the prenatal vitamins that a customer adds to the shopping cart and even consumer’s precise location.

The settlement announced Wednesday requires Sephora to pay $1.2M in penalties and comply with important injunctive terms. Specifically, Sephora must:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
  • Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control; 
  • Conform its service provider agreements to the CCPA’s requirements; and 
  • Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control. 

For more information about the CCPA laws click here, to report a violation of the CCPA to the AG, consumers can submit a complaint by filling out this form.