gavel next to a scale that has a mini shopping cart
Image: William W. Potter/Adobe Stock

International cosmetics giant Sephora is the first company to be publicly fined for violating the California Consumer Privacy Act. In a press release sent on Wednesday, August 24, California Attorney General Rob Bonta announced a settlement with Sephora over allegations that it violated the CCPA, requiring the company to pay $1.2 million in penalties and comply with certain terms.

Following its investigation, the California Attorney General’s office said it found that Sephora failed to tell customers that it was selling their personal data, that it neglected to process requests from users opting out of the sale of their data and that it didn’t resolve these violations within the 30-day time period allowed by the CCPA.

Passed in 2018, the CCPA is designed to give consumers specific rights over the use and sale of their personal data by companies that do business in California. The regulations state that consumers have a right to know about the data a business collects on them and how their data is used and shared. They have the right to remove data collected about them, with certain exceptions. And they have the right to opt out of the sale of their personal data.

Businesses are facing consequences for violating the CCPA

Beyond agreeing to pay the fine of $1.2 million, Sephora must follow other remedies. The company is required to clarify its online privacy policy to indicate that it sells personal data. It must also provide ways for consumers to opt out of the sale of their data. as well as adapt its service provider agreements to conform to CCPA requirements. And the company must provide reports to the California Attorney General’s office relating to its sale of personal data, the status of its service provider relationships and its efforts to honor the Global Privacy Control (GPC) specification.

As a sign that California is taking CCPA seriously, Attorney General Bonta also sent notices to a number of other businesses that are in violation of the regulation, specifically by failing to honor the opt-out requests of consumers made through privacy controls like the GPC. Available through web browsers, GPC lets users opt out of all online sales by broadcasting a “do not sell” signal to every website they visit. The businesses that have received notices of their violations must resolve the complaint within 30 days or face action by the Attorney General’s office.

SEE: How to choose the right data privacy software for your business (TechRepublic)

“The recent fine levied on Sephora by the state of California is a brutal wake-up call for organizations that don’t take rapidly-evolving data privacy regulations seriously,” said Jeff Sizemore, chief governance officer at security and compliance firm Egnyte. “In particular, companies need to: 1) Have effective processes in place to process opt-out requests; 2) Manage consumers’ requests that are made through global privacy control technology; 3) Inform consumers when their data is being sold; and 4) Keep their privacy policies up to date.”

Privacy policy changes to provide more transparency

Sizemore also advised companies that do business in California, Virginia, Colorado, Utah or Connecticut to prepare for new and updated legislation that will go into effect in 2023.

“Sephora being fined should serve as a reminder for organizations to review privacy policies with employees and conduct audits for compliance,” said Sam Humphries, head of security strategy of EMEA for cybersecurity firm Exabeam. “This can reassure skeptical employees and consumers that their accounts are protected and that their privacy is maintained, while also safeguarding organizational data.”

Humphries advised companies to be transparent about their data monitoring and create policies for employees that are easily accessible through paper or digital training. The policies should avoid complex jargon and point employees to an appropriate contact person to answer any questions.

Further, Humphries suggested that even organizations not required to comply with data privacy regulations like CCPA should ask themselves the five following questions to guide their data protection:

  • Is your data monitoring lawful, fair and transparent?
  • Will the personal data you collect be used for a specific purpose?
  • Are you taking every reasonable step to erase or correct data that is inaccurate or incomplete?
  • Do you delete personal data once you no longer need it?
  • Is the data you collect appropriately secured?

Subscribe to the Executive Briefing Newsletter

Discover the secrets to IT leadership success with these tips on project management, budgets, and dealing with day-to-day challenges. Delivered Tuesdays and Thursdays

Subscribe to the Executive Briefing Newsletter

Discover the secrets to IT leadership success with these tips on project management, budgets, and dealing with day-to-day challenges. Delivered Tuesdays and Thursdays