Zeke Testa, Sr. Director at CYTRIO
Businesses with customers in California have been waiting to see what enforcement may look like for the California Consumer Privacy Act (CCPA), and we got a first glimpse late last month when Attorney General Rob Bonta put a stern stake in the ground. The California AG fined beauty retailer Sephora $1.2 million for violating CCPA, specifically for selling consumers’ personal information (PI) to online tracking companies without telling them. The AG office conducted a round of reviews of online retailers and sent out more than 100 violation notices.
Sephora failed to process user requests to opt out of the sale of their PI via user-enabled global privacy controls, and it did not remedy these violations within the 30-day right to cure window allowed by CCPA. In addition to the fine, Sephora must comply with injunctive terms, including providing reports to the AG relating to its sale of PI and the status of its service provider relationships, in addition to providing mechanisms for consumers to opt out.
This fine comes from the small CCPA enforcement staff after the privacy law has been in effect for more than two years. Many are taking this as a stern warning, expecting more severe penalties to hit other companies as this appears to only be the beginning. The new California Privacy Protection Agency (CPPA) has been ramping up to staff 200 agents to begin enforcing the California Privacy Rights Act (CPRA), the strongest consumer privacy law enacted in the United States to-date, in January. And CPRA includes a stringent 12-month lookback.
The question remains, however, why Sephora didn’t comply with CCPA in the 30-day window. Did they not have the resources to reactively remedy the situation within that time frame? What were the limitations getting in the way of doing what’s right for customers’ privacy?
We also don’t know what the impact is going to be on Sephora. Will it negatively affect revenue? Will it deter current and future customers? It’s too early to tell, but C-level conversations are inevitably happening at companies across the U.S. – companies that want to be sure they avoid these types of fines as well as negative publicity – and do right by the consumer, allowing them to exercise their rights.
We’ve also recently received a preview into possible enforcement of the Federal Trade Commission’s (FTC) American Data Privacy and Protection Act (ADPPA), the pending law aiming at creating a standard and baseline for all companies to follow. The FTC announced last month it’s suing data broker Kochava for allegedly selling sensitive data tracking information that could be used to identify individuals’ visits to sensitive locations like reproductive health clinics, addiction recovery centers, and homeless and domestic violence shelters.
Clearly, enforcement is starting to come down against companies that are not being responsible in collecting, sharing, and selling consumers’ personal data. If you are a business that is subject to CCPA – gross annual revenue in excess of $25 million; buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or derives 50 percent or more of its annual revenues from selling consumers’ personal information – be proactive. Don’t wait to receive a letter with 30 days to get in compliance.
Being proactive in meeting consumer privacy laws ultimately saves money. CYTRIO CCPA solutions are helping businesses comply swiftly and cost-effectively, eliminating 80% of manual tasks associated with compliance. This results in significant time and cost-saving, meeting CCPA compliance response SLAs and minimizing risk of regulatory fines, while ensuring consumer trust.
The California Attorney General is making it clear that consumer privacy rights come first, and this is just the beginning.
For more information on how CYTRIO simplifies CCPA and CPRA compliance, go to: