California Regulators Hit Sephora with $1.2M Fine

Regulators have roared back from a pandemic-induced stupor that seemingly tamped down some of the most aggressive actions at their disposal—as Sephora recently became painfully aware.

The cosmetics retailer is set to pay $1.2 million in penalties for running afoul of the California Consumer Privacy Act (CCPA).

The CCPA has been something of a sleeping giant—no sooner had it been passed and went into effect than COVID-19 shut down everything. Companies knew that the law, which strengthened California’s privacy protections, was out there and could emerge at any time to hammer them for their data collection transgressions, but regulators seemed reluctant to do so until now.

Sephora, the first company penalized as California flexes its regulatory muscle under the CCPA, stood accused of failing to tell consumers it was selling personal information, didn’t process user requests to opt out of that sale via user-enabled global privacy controls and didn’t cure violations within the 30-day period specified by the CCPA.

“As a fundamental rule, you can’t tell your customers you are doing one thing (not selling their data), and then do another (sell their data),” said John Bambenek, principal threat hunter at Netenrich. “Whether by the California AG, the FTC or some other regulator, less-than-truthful claims will eventually catch the eye of some regulator or enforcement official.”

At the heart of the issue are the third parties that Sephora allowed to install tracking software on its website and in their app and which could create customer profiles based on a number of factors, such as what kind of laptop a consumer is using, the items put in a shopping cart and location. Under the CCPA, that constituted a sale of consumer information, triggering certain basic obligations like disclosing to consumers that information is being sold and giving them a chance to opt out. Sephora did not make good on those obligations.

“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer’s data and ignore requests to opt-out of its sale,” California Attorney General Rob Bonta said in a release. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers and process opt-out requests made via user-enabled global privacy controls.”

Bonta’s words serve as a stark warning to organizations that California regulators take consumer privacy right seriously and will enforce the CCPA.

“Every CISO that conducts business in California, or is subject to CCPA, should now consider themselves on notice that the statute is as real as other regulatory mandates and that they should act accordingly to get their house in order,” said Andrew Hay, COO at LARES Consulting.

Indeed, even as the attorney general announced the penalties levied on Sephora, he also sent notices to other businesses alerting them to their alleged non-compliance for failing to process opt-out requests made by consumers via user-enabled global privacy controls.

“This event shows that California takes privacy seriously and that the CCPA has the teeth to enforce the stated requirements,” said Hay.

“While the fine Sephora is receiving is nominal, the California AG is setting a precedent that annual reviews of data sharing arrangements are expected as routine for businesses, and that data sharing relationships must hold data partners accountable to the privacy protections in CCPA,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, who called the “collection of personal data, and its potential sale to third-parties, an example of a software supply chain.”

The action by California regulators underscores the need for federal privacy legislation. “Whilst being good news for consumers, this is an alarming trend for businesses. Contrasted to the EU, in the United States, there is still no nationwide and overarching privacy legislation on the federal level, pushing individual states to legislate on the matter and fill the gap,” said Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network. “If the trend persists, in a decade, we will have 50 heterogeneous privacy and data protection regimes, making business in the U.S. impossible both for domestic and foreign companies.”

State privacy laws are often more permissive than Europe’s GDPR, but some states, like California, have enacted harsher laws and other have honed in on specific aspects of data protection like biometric data in Illinois. “Contrariwise, in other states, there is no privacy legislation whatsoever, leaving consumers without any protection. Such polarized and incongruent enforcement from one state to another undermines the predictability and certainty of the legal landscape,” said Kolochenko. “That being said, federal legislation that would finally harmonize the American data protection regime is urgently needed.”

The CCPA could serve as a blueprint for an overarching federal law. “CCPA, much like GDPR, establishes strict requirements for protecting privacy for California citizens. In doing so, firms need to reexamine their data protection strategies to ensure they are meeting ‘reasonable security’ standards in an era of increasingly sophisticated cyberthreats,” said Hank Schless, senior manager, security solutions, at Lookout. “As we have now seen with this $1.2 million fine, breaches of privacy under CCPA can result in significant fines for organizations. This regulation will be the benchmark for future state and federal privacy regulations across the United States.”

In the meantime, Hay said, “The best thing a CISO can do is review their CCPA-specific policies with their respective legal and HR teams to ensure their house is in order and that they’re not the next one on the CCPA’s hit list.”

And Bambenek advised that “CISOs, at a minimum, should know what data they collect, why they collect it (or conversely, why they don’t delete or discard it) and what external entities have access to it.”

Like a good asset inventory, he explained, “organizations need a good information asset inventory that shows where that data is going—it is essential.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson