On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora, one of the largest cosmetic retailers in the world, to resolve allegations that the company illegally sold consumer data and violated the California Consumer Privacy Act (“CCPA”).1 The settlement was a result of an enforcement sweep the state conducted on online retailers in 2021 and is the first public CCPA-enforcement action since the law went into effect in January 2020.
The complaint, filed in San Francisco Superior Court, alleges that Sephora violated the CCPA and California’s unfair competition law by failing to disclose to consumers that it was selling their personal information by making this information available to online third-party trackers in exchange for certain benefits, such as targeted advertising and discounted analytics.1 Sephora also failed to process opt-out requests made via user-enabled privacy controls like the Global Privacy Control (“GPC”).2 The GPC is a powerful tool developed by a broad coalition of stakeholders, including tech companies, web publishers, browser and extension developers, academics, and civil rights groups, in response to the CCPA.3 It allows consumers to opt-out of all online sales of their personal information in one fell swoop by using a browser or software extension available on certain internet browsers to broadcast a “Do Not Sell My Personal Information” signal across every website they visit, without having to click on an opt-out link each time. Under the CCPA regulations,
