Makeup retailer Sephora will pay $1.2 million to resolve a complaint by the California attorney general that the company sold customers' data obtained through its app and website despite claiming not to.
The settlement, announced on Wednesday by state Attorney General Rob Bonta, also included allegations that Sephora ignored requests from consumers who used a mechanism to opt out of all sales of their data with a single click rather than having to go to each individual website that might be interested in their information.
The complaint shows that the state is escalating enforcement of its landmark privacy law, the California Consumer Privacy Act, and getting more aggressive in pursuing action against retailers that fail to honor such global opt-outs.
"Today isn’t only about Sephora," Bonta told reporters. "Today’s settlement sends a strong message to businesses about the California DOJ's ongoing efforts to enforce the CCPA."
The complaint suggested that, while Sephora didn't get paid by third parties that had access to location data and other information about customers, the nationwide chain received other benefits in violation of CCPA's definition of sale, which goes beyond the exchange of money. In Sephora's case, the company received analytics or "the opportunity to purchase online ads targeting specific consumers" from unnamed third parties. The company in turn frequently kept the data and used it "for the benefit of other businesses, without the knowledge or consent of the consumer."
Bonta said Sephora was one of several businesses that received notice about its practices, but it did not fix them within 30 days. The attorney general also announced an "investigative sweep" of additional, unnamed companies that might not be honoring the all-in-one opt-out requests, which use a technology called Global Privacy Control and often operate at the browser level.
California's enforcement of CCPA requires companies to honor GPC signals, and Bonta has looked to global opt-outs as a way to broaden consumer rights, calling them "powerful tools" on Wednesday. Many companies, however, treated a similar approach as non-binding in the years before CCPA, and according to Bonta, some still ignore the state's interpretation of the law.
Those businesses still have 30 days to comply without facing action from Bonta's office, he noted, but the "notice and cure" approach expires at the end of the year.
"The kid gloves are coming off," he said.
In response to the settlement, Sephora said it was not admitting wrongdoing and lamented that CCPA's definition of "'sale' includes common, industry-wide technology practices such as cookies." The company said it has "allowed consumers to opt-out of the sale of personal info, including via the Global Privacy Control" since last November.
This article was updated Aug. 24 to include a statement from Sephora.