On August 24, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora over allegations that the cosmetic retailer had violated the California Consumer Privacy Act (CCPA).  This first public enforcement action—and subsequent noncompliance letters the Attorney General sent to other retailers—clearly highlight the continued focus of regulators on online tracking practices and opt-out signals such as the global privacy control (GPC).  However, it also highlights the complexities of preparing for the 2023 laws while the existing framework continues to shift. 

In the complaint, the office of the Attorney General alleged that Sephora failed to: (1) disclose to consumers that it was selling their personal information through the use of “common” online analytical tools; (2) provide consumers with an easy-to-find “do not sell” link on its website or in its app; (3) process user requests via the user-enabled GPC to opt out; and (4) resolve these violations within the 30-day cure period currently allowed under the CCPA.  

The first two allegations resolve any remaining ambiguity surrounding the long-standing discussion as to whether the use of website or application analytics for cross-contextual advertising constitutes a “sale” under the CCPA’s broad definition.  But, the California Attorney General appears to go further by alleging that “the trade of personal information for analytics” constituted sales under the CCPA.  There are nuances between what third party cookies do and whether there is really consideration given by a user to the provider, so businesses may have some defenses if ever tested.  Nonetheless,  the Sephora complaint makes clear that the Attorney General considers purely analytical cookies to be “sales” under the CCPA/CPRA even if they are not “sharing.”

With respect to the GPC, the California Attorney General made clear that it considers the failure to honor the GPC to be a violation of the CCPA and its implementing regulations.  As a preliminary matter, there remains some debate as to whether the CCPA truly provides the Attorney General with the authority to require businesses to honor the GPC.  Indeed, the CCPA does not discuss opt out signals—that requirement is only raised in the CPRA’s provisions discussing the new California Privacy Protection Agency’s authority to promulgate rules.  So, while the current CCPA regulations do require the honoring of an opt-out signal, businesses facing enforcement actions could potentially have a defense that this regulation is not authorized.  However, there is very little incentive for businesses to mount such a defense when the CCPA still affords a 30 day cure period. 

That cure period ends on January 1, which may be the most important takeaway from Sephora.  The CPRA provides that enforcement of the new provisions cannot begin until the later of July 1, 2023 or six months after the final regulations are published.  However, that delayed enforcement period only applies to the new CPRA provisions, and not old existing CCPA provisions.  While many companies had considered the use of analytics for cross-contextual advertising and the GPC as new CPRA issues, the Attorney General has staked a claim that they are existing CCPA obligations—and therefore enforceable without a cure period as of January 1.  Companies should therefore ensure that this aspect of their compliance regimes are up and ready before the new year. 

For additional information on CPRA updates and practical compliance steps, check out our recent webcast.