August 25, 2022

California AG Assesses First CCPA Penalty, Announces New Enforcement Examples

Holland & Knight Cybersecurity and Privacy Blog
Rachel Marmor | Ashley L. Shively

California Attorney General (CA AG) Rob Bonta announced on Aug. 24, 2022, that his office had reached a settlement with Sephora Inc. (Sephora) to resolve claims that the manner in which Sephora used third-party tracking technologies violated the California Consumer Privacy Act (CCPA). The action is the first formal complaint brought by the AG under the CCPA, which became effective on Jan. 1, 2020. If approved, the settlement will require Sephora to take immediate action to comply with the law, conduct regular compliance assessments for two years and pay a $1.2 million fine.

The Allegations Against Sephora

The complaint alleges that Sephora installed certain analytics and advertising cookies and other tracking technologies on its website and mobile apps that enabled the providers of those technologies to track the activity of Sephora users, including on products viewed or items added to carts. Those third-party providers then matched the user activity collected from Sephora's website and apps with data they collected from other sources to assist Sephora in identifying customer targets and serve advertising to them on other internet properties. The nature of the products sold by Sephora meant that the third parties could infer information about an individual that might be considered highly personal – for example, the third party would know that an individual had purchased prenatal vitamins from Sephora.

Though Sephora took the position in its website privacy policy that the company did not "sell" personal information, the AG's office argues in the complaint that allowing third parties to collect personal information via cookies was in fact a sale of that personal information. This sale triggered obligations for Sephora to offer consumers the choice to opt out of such disclosures. Sephora violated the CCPA, according to the AG, first in that it failed to post a "Do Not Sell My Personal Information" link on its website and mobile apps that could be used by consumers wishing to opt out, and second in that its website did not detect and process opt-out signals sent by browsers where the user had enabled Global Privacy Control (GPC).

Sephora could not claim that the advertising and analytics partners were service providers – which would have rendered the disclosures not a sale – because it did not have "valid" contracts in place with such partners that met the requirements set forth in the CCPA for a service provider contract. The complaint does not name the third parties whose cookies were running on Sephora's website.

The Enforcement Action

According to the complaint, the CA AG identified an initial potential violation of the law by Sephora through an "enforcement sweep" of large retailers that started with an analysis of whether their websites honored GPC. This led the CA AG to dig deeper into Sephora's privacy notice and opt-out processes, during which surfaced additional issues. Sephora was notified of these violations and failed to cure them within 30 days.

In addition to claiming violations of the CCPA and its implementing regulations, the complaint includes a count for violation of California's Unfair Competition Law, alleging that Sephora's privacy policy had false or misleading statements and that consumers were deprived of their ability to opt out of the sale of personal information.

In addition to website and mobile app remediation and the monetary fine, the settlement requires Sephora to conduct annual assessments of whether it is effectively processing consumer requests to opt out of the sale of their personal information for a period of two years and to submit such assessments to the CA AG's office. Sephora must also document the entities with whom it shares personal information and, if it takes the position that such are service providers, confirm in a report to be provided to the CA AG that appropriate contract provisions are in place.

Additional Enforcement Examples

As we reported in a previous Holland & Knight post, "California Attorney General Previews Enforcement Strategy," the AG first published examples of its enforcement activities in July 2021 – around the same time the complaint indicates Sephora was put on notice of its alleged violations.

In conjunction with the announcement of the Sephora settlement, the CA AG's office updated its public list of examples of instances in which notices of noncompliance with the CCPA were issued. Of the 13 examples provided, 10 involved some sort of failure to properly offer consumers the right to opt out of the sale of their personal information. Some alleged failures were total – the business failed to post the required opt-out link and/or honor GPC. Others related to the manner in which the opt-out choice was presented – for example, the businesses' presentation of options was confusing or forced the consumer to take extra steps, or the business failed to accept requests from authorized agents. Several examples also cited deficiencies in privacy notices, such as incorrect or misleading statements about the business's practices related to sale of personal information and/or the process to submit right to know or delete requests, such as the failure to offer two designated methods or describe the request verification process. Two examples cited failure to provide training to employees who handled consumer privacy requests.


  • The deployment of third-party cookies and pixels on a website to collect information about a visitor's activities on the website will likely be viewed by the CA AG as a sale of personal information to the third party, subject to opt-out requirements. While a business may be able to avoid offering an opt-out by treating the party as a service provider, a legally compliant contract restricting the use of the personal information must be in place for this to work. The Sephora complaint suggests the CA AG is (at a minimum) skeptical of the standard contract terms that come with "widely available advertising and analytics" tools. Businesses, particularly online retailers, should therefore have a detailed understanding of the data flows that occur on their online properties and the ways in which third parties are using data collected.
  • The CA AG believes that honoring signals sent by browsers using GPC is a requirement of current state law. Even if this is an aggressive reading of law,1 widespread adoption of GPC is clearly expected by the California Privacy Rights Act effective Jan. 1, 2023, and seems to be required by new privacy laws in Colorado and Connecticut in coming years. Businesses that have not already moved to adopt the standard should do so.
  • Missteps in the presentation of consumers' rights processes – either right to know/delete or opt-out – are easy for a regulator to identify. Once a potential issue is on the regulator's radar, it can lead to a thorough investigation of a business's privacy program, which may result in the identification of more significant issues.


1 A global opt-out is not mentioned in the CCPA and required under the CPRA amendments to the statute only if a business does not want to provide a Do Not Sell link for opt-outs from sales of personal information.

Related Insights