Bulletins

Sephora will pay $1.2 million to settle California customer data complaint

The California attorney general used the case to warn websites to honor consumers' browser-level requests not to have their data sold.

A Sephora store at night as car lights streak in front of it.

The makeup giant has run afoul of the California Consumer Privacy Act.

Photo: Deva Darshan/Unsplash

Makeup retailer Sephora will pay $1.2 million to resolve a complaint by the California attorney general that the company sold customers' data obtained through its app and website despite claiming not to.


The settlement, announced on Wednesday by state Attorney General Rob Bonta, also included allegations that Sephora ignored requests from consumers who used a mechanism to opt out of all sales of their data with a single click rather than having to go to each individual website that might be interested in their information.

The complaint shows that the state is escalating enforcement of its landmark privacy law, the California Consumer Privacy Act, and getting more aggressive in pursuing action against retailers that fail to honor such global opt-outs.

"Today isn’t only about Sephora," Bonta told reporters. "Today’s settlement sends a strong message to businesses about the California DOJ's ongoing efforts to enforce the CCPA."

The complaint suggested that, while Sephora didn't get paid by third parties that had access to location data and other information about customers, the nationwide chain received other benefits in violation of CCPA's definition of sale, which goes beyond the exchange of money. In Sephora's case, the company received analytics or "the opportunity to purchase online ads targeting specific consumers" from unnamed third parties. The company in turn frequently kept the data and used it "for the benefit of other businesses, without the knowledge or consent of the consumer."

Bonta said Sephora was one of several businesses that received notice about its practices, but it did not fix them within 30 days. The attorney general also announced an "investigative sweep" of additional, unnamed companies that might not be honoring the all-in-one opt-out requests, which use a technology called Global Privacy Control and often operate at the browser level.

California's enforcement of CCPA requires companies to honor GPC signals, and Bonta has looked to global opt-outs as a way to broaden consumer rights, calling them "powerful tools" on Wednesday. Many companies, however, treated a similar approach as non-binding in the years before CCPA, and according to Bonta, some still ignore the state's interpretation of the law.

Those businesses still have 30 days to comply without facing action from Bonta's office, he noted, but the "notice and cure" approach expires at the end of the year.

"The kid gloves are coming off," he said.

In response to the settlement, Sephora said it was not admitting wrongdoing and lamented that CCPA's definition of "'sale' includes common, industry-wide technology practices such as cookies." The company said it has "allowed consumers to opt-out of the sale of personal info, including via the Global Privacy Control" since last November.

This article was updated Aug. 24 to include a statement from Sephora.

Latest Bulletins

David Hatfield has stepped down as co-CEO of cloud security vendor Lacework but will remain on the company's board of directors, Protocol has learned.

Keep Reading Show less

California’s new pay transparency law, SB 1162, promises to shake up compensation in the tech industry by requiring employers in the state to list pay scales in job ads and reveal pay information to both the state and to current employees. We spoke with Susan Alban, operating partner and chief people officer at Renegade Partners, and compensation consultant Ashish Raina to learn how.

Keep Reading Show less

Pour one out for the Lightning cable.

Keep Reading Show less

Carbon dioxide removal service buyers and sellers are focused on one metric: $100 per ton. It’s one of Frontier’s stated criteria that the fund uses to evaluate its advance purchases. In a survey of the long-duration carbon removal community, CarbonPlan found that stakeholders are focused on the $100 benchmark. The Department of Energy even announced that it would be investing in carbon removal research to bring the cost of the technology down to $100 per ton.

Keep Reading Show less

When Google announced the closure of its Stadia cloud gaming platform last week, the news was delivered at roughly the same time to employees, partners, and players on Thursday morning. Within hours, it had become clear that Stadia’s shutdown, planned for next January, would involve more than just refunding consumer purchases and quietly bowing out.

Now developers are scrambling to salvage planned projects, migrate players to other platforms, and figure out whether they’re still owed money from Google before the search giant puts Stadia out to pasture for good.

Keep Reading Show less

Trading of Twitter shares was briefly halted midday as CNBC and Bloomberg reported that Elon Musk now plans to go through with his deal to buy Twitter for $54.20 a share. The news was later confirmed.

Keep Reading Show less

The U.S. is set to unveil a fresh set of policies Thursday aimed at choking off China’s access to advanced chip manufacturing technology and the chips themselves, according to a person familiar with the matter.

Keep Reading Show less

Companies like Meta and Lyft have stopped hiring for the year, and that’s music to the ears of other tech companies that are still staffing up. Much of talent sourcing still takes place on LinkedIn, but many recruiters have found their own techniques to use the service more efficiently. We asked LinkedIn’s VP of talent acquisition and three outside recruiters for their best LinkedIn hacks for sourcing talent.

Keep Reading Show less

Kim Kardashian broke the internet, and according to the Securities and Exchange Commission, she also broke the securities laws.

Keep Reading Show less

On Thursday, California Gov. Gavin Newsom signed into law a bill that makes phone calls from California’s prisons free of charge. The new law places the cost of calls not on incarcerated people — or the people receiving calls from them — but on the state’s Department of Corrections and Rehabilitation.

California is the second state after Connecticut and the biggest state by far to institute such a law, which is a direct shot at the $1.4 billion prison telecom industry. For years prison telecom companies have maintained rates that “can be unjustly and unreasonably high, thereby impeding the ability of inmates and their loved ones to maintain vital connections,” the FCC said in 2020.

Prison reform advocates argue the new California law will have a hugely positive impact on the families of incarcerated people in California — and potentially other states that follow California's lead.

Keep Reading Show less

Rohit Chopra arrived as director of the Consumer Financial Protection Bureau one year ago today. True to his reputation as an aggressive watchdog from his time as an FTC commissioner and an earlier stint at the CFPB, he has pursued a busy agenda that’s setting up regulatory battles to come.

Keep Reading Show less
Tech salaries are about to get a lot more transparent. On Tuesday, Gov. Gavin Newsom signed a new law to require California employers to post salary ranges in job postings and report hourly pay data by employees’ race and sex to the state. We spoke with four employment lawyers and other pay transparency experts about what this means, and how to comply.
Keep Reading Show less

Microsoft said Friday it's "working on an accelerated timeline" to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, which the company acknowledged have been used in attacks on customers.

Keep Reading Show less

Google is stepping up its push for open video formats: The company plans to force hardware manufacturers to support the AV1 video codec if they want to run Android 14 on their mobile devices, according to comments left in recent commits to the Android Open Source Project (AOSP) that were first spotted by Esper senior technical editor Mishaal Rahman.

Keep Reading Show less

A troubling new vulnerability affecting Microsoft Exchange email servers has been disclosed by researchers, though details are still emerging on the severity and exploitability of the flaw.

Keep Reading Show less

The gas-powered vehicle ban dominoes have begun to fall.

Keep Reading Show less

Tech industry groups are once again pleading with the 5th Circuit to block HB 20, Texas' on-again, off-again social media law, which the court recently allowed to take effect.

Keep Reading Show less

Sometimes a major "hack" isn't really a hack at all, such as with some breaches caused by the mishandling of APIs.

Keep Reading Show less

The neobank MoneyLion charged service members excessive fees for loans and often refused to cancel paid memberships, according to a lawsuit filed Thursday by the Consumer Financial Protection Bureau.

Keep Reading Show less

Google is shutting down its Stadia cloud gaming service, nearly three years after its launch and roughly 18 months since the company shut down its internal game development division.

Keep Reading Show less

Amazon announced pay raises and the rollout of new benefit programs to warehouse employees Wednesday. But one of those products may pose increased risks to the company’s most precarious workers: the expanded rollout of Amazon’s Anytime Pay Program.

Keep Reading Show less

More pay transparency is coming to California. The Golden State is joining New York City, Colorado, and Washington in requiring employers to disclose pay ranges in job ads.

Keep Reading Show less

Cost-cutting in tech is officially hitting the industry’s titans. After years of ruthless staffing up, both Meta and Google have told some employees to find new jobs within the company or leave, according to a report in The Wall Street Journal.

Keep Reading Show less

Calendly, the $3 billion scheduling startup that everyone likes to periodically fight about, has made its first acquisition: Prelude, a startup specializing in the hiring process. Prelude is specifically geared toward scheduling job interviews or other types of recruitment-related meetings.

Keep Reading Show less

Celsius Network CEO Alex Mashinsky resigned from the embattled cryptocurrency lender Tuesday morning. The lender is in the middle of bankruptcy proceedings after pausing withdrawals in June.

Keep Reading Show less
Bulletins