California’s Sephora Settlement Puts Consumer Privacy First
Last fall, California drew first blood when it agreed to a $1.2 million settlement with Sephora over the cosmetics company’s violations of the California Consumer Privacy Act (CCPA). Attorney General Rob Bonta announced that the French firm sold consumer data without notification, failed to process opt-out requests and failed to put things right within 30 days of receiving an official warning. “There are no more excuses,” he warned other businesses. “Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
“Follow the law” is a straightforward approach in theory, if not always in practice. Companies need privacy infrastructure that enables them to check all the boxes required by regulators but that is adaptable enough to ensure they don’t get tripped up when regulations change or new laws are passed.
“Do right by consumers,” on the other hand, is a much more sweeping injunction. Read alongside other regulatory trends—including federal efforts to empower consumers to sue companies directly for data malpractice rather than waiting for regulators to investigate and issue penalties—the California AG’s demand that companies do what’s right rather than simply what’s required is part of a major shift in data privacy enforcement.
Playing Catch-Up
When it comes to data privacy, regulators and consumers are perpetually playing catch-up with one another. On one hand, regulators shape consumer perceptions: High-profile penalties and big public enforcement actions, like the Sephora case, increase consumer awareness of privacy issues and condition them to expect that companies will handle their data responsibly.
But the devil’s in the details, and consumers often don’t study the minutiae of privacy regulations: They read the headlines, not the fine print. That means they have a gut feeling about what data privacy should mean but not necessarily a clear understanding of what companies are actually required to do.
That’s significant because the regulatory process necessarily lags innovation: Regulators can’t create rulebooks for technologies or business models that don’t yet exist. Consumers, on the other hand, bring all their existing expectations around data privacy to any new device or service they use—meaning that regulators are left playing catch-up and working in real-time to realign the rulebook with consumers’ evolving expectations.
A Three-Step Process
“Do what’s right.” In other words, anticipate what consumers will expect of you and deliver it even before regulators reach the point of demanding it. For businesses, this is a three-step process. First, yes, study the rules that apply to your business and ensure you’re compliant. Second, as Attorney General Bonta suggested, pay attention to technologies such as global privacy control, which clearly indicates consumer choice and comes with a built-in mechanism for ensuring you’re aligned with the consumer’s needs.
But third, and most importantly, treat regulatory and GPC compliance as the starting point, not the finish line—the floor, not the ceiling—of your data privacy efforts. What does that mean in practice? It means prioritizing responsible data practices including, but not limited to:
– Meaningful transparency, with full disclosure of how and why data is being collected;
– Effective data minimization, with organizations gathering only the data that’s truly needed for a specific declared purpose;
– Appropriate retention practices, with effective mechanisms for deleting data when it is no longer being used for a specific purpose; and
– Whole-ecosystem enforcement, with robust systems for passing consumers’ privacy decisions along to downstream data partners.
For companies of all kinds, the stakes are high. According to a recent Ketch study, consumers are already rewarding companies based on how their data is handled. In fact, responsible data handling now leads to a 23% increase in consumer purchase intent, suggesting that brands stand to gain or lose significant revenue based on how effectively they align with consumers’ expectations.
Your Customers Are Watching
Attorney General Bonta wanted the Sephora settlement to send “a strong message” to the companies that weren’t yet compliant with the CCPA. “My office is watching, and we will hold you accountable,” he warned. Fighting words—but what the Sephora case really underscored is that when it comes to data privacy, consumers are the real sleeping dragon.
So what should companies take away from the Sephora case? Yes, of course, California’s guns-blazing approach to enforcement means that compliance is more important than ever. There’s very little wiggle room when it comes to meeting California’s new rules—and with the 30 days grace period to cure violations expired, that margin for error is about to drop to zero.
But the real question that companies should be asking themselves isn’t what they’ll do when California’s regulators come knocking. It’s whether they’re ready for a world in which their customers wake up and start flexing their muscles. Consumer-driven data privacy is here—and the only way to prepare is to start doing right by your customers before the sleeping dragon wakes up.
