August 25, 2022

California Attorney General Announces First CCPA Settlement

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

On August 24, 2022, the California Attorney General (AG) announced a first-of-its-kind settlement with Sephora, Inc. (Sephora) over Sephora's alleged violation of the California Consumer Privacy Act (CCPA). The settlement imposed a $1.2 million fine and injunctive measures—as well as a two-year monitorship—to ensure Sephora's compliance with certain parts of the CCPA related to consumer opt-outs from the sale of information, including through recognition of the Global Privacy Control (GPC).


The CCPA includes provisions that require businesses subject to the CCPA to allow consumers to opt out of the "sale" of their personal information by the business. The definition of "sale" under the CCPA is very broad, as highlighted by the AG's complaint against and settlement with Sephora. In the Sephora matter, the AG's complaint describes how a business' use of "widely-used" advertising and analytics technologies can, in the AG's view, constitute a "sale" of information for which consumers must be given the right to opt out of, including through the GPC.

The AG's press release and complaint details how in June 2021 the AG conducted an "enforcement sweep" of large online retailers to assess their compliance with the CCPA's opt-out of sale requirements and their ability to process GPC. The AG alleges that, although Sephora collected and shared internet activity data with third-party advertising networks and analytics providers, Sephora's privacy policy represented that it did not "sell" personal information and that Sephora's website did not include a "Do Not Sell" link, nor did it recognize the GPC. The AG alleges that it sent Sephora a notice of noncompliance with the CCPA and that Sephora did not cure the noncompliance within 30 days, leading to the AG's enforcement action and, ultimately, the settlement announced yesterday.

Pursuant to the settlement, in addition to a $1.2 million payment, Sephora was ordered to provide notice of its "sale" of personal information practices, provide a "Do Not Sell" mechanism on its website and implement the capability to process GPC signals. Sephora was also given 180 days to develop the following:

  • A program to assess whether it is effectively processing consumer opt-out requests and requests submitted via GPC, including annual reports submitted to the AG for two years after the 180-day implementation period, detailing its implementation of the opt-out mechanisms and an analysis of any errors or technical problems encountered and remediated; and
  • A program to conduct an annual review of its website and mobile applications to determine the entities to which it makes personal information available as well as annual reports submitted to the AG for two years after the 180-day implementation period, detailing the names of the entities to which Sephora makes personal information available, its purpose for making that information available, whether Sephora characterizes such entities as service providers and to ensure proper categorization of its service providers.

Sephora did not admit any wrongdoing in connection with the settlement.

Aside from being the first public CCPA settlement, there are several noteworthy aspects of the AG's announcement:

  • First, the timing is significant. The California Privacy Protection Agency (CPPA)—the new regulatory agency tasked with enforcing the CCPA—just closed the window for public comment to its proposed CCPA regulations, which include a controversial set of regulations related to opt-out browser signals. The AG's focus on GPC in its complaint against Sephora is hard to see as a coincidence.
  • Second, and related, the AG's focus on GPC should be a wake-up call to companies that may have not previously focused on that requirement in the existing regulations.
  • Third, the settlement should be a reminder to companies that the 30-day cure period is an opportunity to act to avoid this same outcome.
  • Fourth, the inclusion of a monitorship, while not surprising, highlights what many companies will consider among the highest costs of CCPA noncompliance.

Finally, the AG's announcement takes a clear stance on the contested debate over the meaning of "sale" under the CCPA. Like Sephora, many other companies had taken the position that the use of web advertising and analytics technologies does not amount to a "sale" under the CCPA. This issue will largely become moot when the CCPA amendments, which take effect next year, introduce a new right to opt out of "sharing" that is specifically drafted to cover targeted advertising technologies. Still, through the Sephora settlement, the AG is making clear its view that the CCPA's "sale" provisions already cover these technologies, and that companies that do not currently provide an opt-out of targeted advertising are out of compliance with the CCPA. Companies should assess their compliance posture—and the timeline for implementing any new opt-out rights—accordingly.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Next Stop, Green Hydrogen For Emission-Free Buses

By McDermott Will & Emery attorneys McDermott Will & Emery March 17 , 2023

Green hydrogen is poised to become the fuel of the future: It is one of several promising clean burning options that could eventually replace fossil fuels.

The Fondues and Don'ts of Certification Marks

By Sarah Bro McDermott Will & Emery March 16 , 2023

The US Court of Appeals for the Fourth Circuit affirmed a summary judgment grant in favor of the opposers of a certification mark application for the trademark GRUYERE to designate cheese that originates in the Gruyère region of Switzerland and France.

PTO Adds Green Energy Category to Patents for Humanity Program

By Bernard P. Codd McDermott Will & Emery March 16 , 2023

On March 6, 2023, the US Patent & Trademark Office (PTO) introduced a new green energy category to its Patents for Humanity Program.

More From Privacy

New UK Sanctions Package Would Target Russia's Arms Exports, Front-Line Resources

By Annabel Thomas Greenberg Traurig March 22 , 2023

The UK announced a further round of sanctions and trade measures on 24 February 2023 to coincide with the first anniversary of Russia’s invasion of Ukraine.

PFAS in Drinking Water: EPA Proposes Historic New Regulation

By Bernadette M. Rappold Greenberg Traurig March 17 , 2023

On March 14, 2023, the U.S. Environmental Protection Agency (EPA) issued a proposed National Primary Drinking Water Regulation (NPDWR) which, if finalized, would set enforceable limits, known as Maximum Contaminant Levels (MCLs), for six Per- and Polyfluoroalkyl Substances (PFAS).

Transfer Motions Take Priority Regardless of Target District

By Jodi Benassi McDermott Will & Emery March 16 , 2023

The US Court of Appeals for the Federal Circuit granted a writ of mandamus and ordered the district court to decide a motion for intra-district transfer before proceeding to further substantive matters, explaining that both intra-district and inter-district transfer motions must be prioritized.

Featured Stories