August 25, 2022

California Attorney General Announces First CCPA Settlement

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

On August 24, 2022, the California Attorney General (AG) announced a first-of-its-kind settlement with Sephora, Inc. (Sephora) over Sephora's alleged violation of the California Consumer Privacy Act (CCPA). The settlement imposed a $1.2 million fine and injunctive measures—as well as a two-year monitorship—to ensure Sephora's compliance with certain parts of the CCPA related to consumer opt-outs from the sale of information, including through recognition of the Global Privacy Control (GPC).


The CCPA includes provisions that require businesses subject to the CCPA to allow consumers to opt out of the "sale" of their personal information by the business. The definition of "sale" under the CCPA is very broad, as highlighted by the AG's complaint against and settlement with Sephora. In the Sephora matter, the AG's complaint describes how a business' use of "widely-used" advertising and analytics technologies can, in the AG's view, constitute a "sale" of information for which consumers must be given the right to opt out of, including through the GPC.

The AG's press release and complaint details how in June 2021 the AG conducted an "enforcement sweep" of large online retailers to assess their compliance with the CCPA's opt-out of sale requirements and their ability to process GPC. The AG alleges that, although Sephora collected and shared internet activity data with third-party advertising networks and analytics providers, Sephora's privacy policy represented that it did not "sell" personal information and that Sephora's website did not include a "Do Not Sell" link, nor did it recognize the GPC. The AG alleges that it sent Sephora a notice of noncompliance with the CCPA and that Sephora did not cure the noncompliance within 30 days, leading to the AG's enforcement action and, ultimately, the settlement announced yesterday.

Pursuant to the settlement, in addition to a $1.2 million payment, Sephora was ordered to provide notice of its "sale" of personal information practices, provide a "Do Not Sell" mechanism on its website and implement the capability to process GPC signals. Sephora was also given 180 days to develop the following:

  • A program to assess whether it is effectively processing consumer opt-out requests and requests submitted via GPC, including annual reports submitted to the AG for two years after the 180-day implementation period, detailing its implementation of the opt-out mechanisms and an analysis of any errors or technical problems encountered and remediated; and
  • A program to conduct an annual review of its website and mobile applications to determine the entities to which it makes personal information available as well as annual reports submitted to the AG for two years after the 180-day implementation period, detailing the names of the entities to which Sephora makes personal information available, its purpose for making that information available, whether Sephora characterizes such entities as service providers and to ensure proper categorization of its service providers.

Sephora did not admit any wrongdoing in connection with the settlement.

Aside from being the first public CCPA settlement, there are several noteworthy aspects of the AG's announcement:

  • First, the timing is significant. The California Privacy Protection Agency (CPPA)—the new regulatory agency tasked with enforcing the CCPA—just closed the window for public comment to its proposed CCPA regulations, which include a controversial set of regulations related to opt-out browser signals. The AG's focus on GPC in its complaint against Sephora is hard to see as a coincidence.
  • Second, and related, the AG's focus on GPC should be a wake-up call to companies that may have not previously focused on that requirement in the existing regulations.
  • Third, the settlement should be a reminder to companies that the 30-day cure period is an opportunity to act to avoid this same outcome.
  • Fourth, the inclusion of a monitorship, while not surprising, highlights what many companies will consider among the highest costs of CCPA noncompliance.

Finally, the AG's announcement takes a clear stance on the contested debate over the meaning of "sale" under the CCPA. Like Sephora, many other companies had taken the position that the use of web advertising and analytics technologies does not amount to a "sale" under the CCPA. This issue will largely become moot when the CCPA amendments, which take effect next year, introduce a new right to opt out of "sharing" that is specifically drafted to cover targeted advertising technologies. Still, through the Sephora settlement, the AG is making clear its view that the CCPA's "sale" provisions already cover these technologies, and that companies that do not currently provide an opt-out of targeted advertising are out of compliance with the CCPA. Companies should assess their compliance posture—and the timeline for implementing any new opt-out rights—accordingly.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Merck Fosters Healthcare Of The Future

By McDermott Will & Emery attorneys McDermott Will & Emery December 02 , 2022

Artificial intelligence and machine learning have led a digital transformation in healthcare, expanding providers’ resources and improving the lives of people around the world.

A Tsunami of Lawsuits Is Expected to Slam Institutions in the Wake of New York Adult Survivors Act

By Greer Griffith McDermott Will & Emery December 01 , 2022

A new revival window opened on Thanksgiving Day for filing sexual assault and abuse lawsuits that would otherwise be time-barred by the New York statute of limitations.

Tax Court Holds That Deficiency Petition 90-Day Time Limit Is Jurisdictional

By Andrew R. Roberson McDermott Will & Emery December 01 , 2022

Last summer, the Supreme Court of the United States held that the 30-day time limit to file a Collection Due Process (CDP) petition is a non-jurisdictional deadline subject to equitable tolling (Boechler, P.C. v. Commissioner).

More From Privacy

City of Atlanta Adopts New Protections for Criminal History Status, Gender Expression

By Emily S. Borna Jackson Lewis P.C. December 07 , 2022

The Atlanta City Council has amended the City of Atlanta Anti-Discrimination Ordinance to extend protections to citizens on the basis of criminal history status and gender expression in employment, housing, and public accommodations.

Trade Secret Law Evolution Podcast Episode 51: The Sixth Circuit Analyzes Key Concepts in Trade Secret Law in Affirming Major Jury Verdict

By Jordan D. Grotzinger Greenberg Traurig December 02 , 2022

You are invited to listen to Episode 51 of Greenberg Traurig’s Trade Secret Law Evolution Podcast, "The Sixth Circuit Analyzes Key Concepts in Trade Secret Law in Affirming Major Jury Verdict."

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Featured Stories