Bulletins

Sephora will pay $1.2 million to settle California customer data complaint

The California attorney general used the case to warn websites to honor consumers' browser-level requests not to have their data sold.

A Sephora store at night as car lights streak in front of it.

The makeup giant has run afoul of the California Consumer Privacy Act.

Photo: Deva Darshan/Unsplash

Makeup retailer Sephora will pay $1.2 million to resolve a complaint by the California attorney general that the company sold customers' data obtained through its app and website despite claiming not to.


The settlement, announced on Wednesday by state Attorney General Rob Bonta, also included allegations that Sephora ignored requests from consumers who used a mechanism to opt out of all sales of their data with a single click rather than having to go to each individual website that might be interested in their information.

The complaint shows that the state is escalating enforcement of its landmark privacy law, the California Consumer Privacy Act, and getting more aggressive in pursuing action against retailers that fail to honor such global opt-outs.

"Today isn’t only about Sephora," Bonta told reporters. "Today’s settlement sends a strong message to businesses about the California DOJ's ongoing efforts to enforce the CCPA."

The complaint suggested that, while Sephora didn't get paid by third parties that had access to location data and other information about customers, the nationwide chain received other benefits in violation of CCPA's definition of sale, which goes beyond the exchange of money. In Sephora's case, the company received analytics or "the opportunity to purchase online ads targeting specific consumers" from unnamed third parties. The company in turn frequently kept the data and used it "for the benefit of other businesses, without the knowledge or consent of the consumer."

Bonta said Sephora was one of several businesses that received notice about its practices, but it did not fix them within 30 days. The attorney general also announced an "investigative sweep" of additional, unnamed companies that might not be honoring the all-in-one opt-out requests, which use a technology called Global Privacy Control and often operate at the browser level.

California's enforcement of CCPA requires companies to honor GPC signals, and Bonta has looked to global opt-outs as a way to broaden consumer rights, calling them "powerful tools" on Wednesday. Many companies, however, treated a similar approach as non-binding in the years before CCPA, and according to Bonta, some still ignore the state's interpretation of the law.

Those businesses still have 30 days to comply without facing action from Bonta's office, he noted, but the "notice and cure" approach expires at the end of the year.

"The kid gloves are coming off," he said.

In response to the settlement, Sephora said it was not admitting wrongdoing and lamented that CCPA's definition of "'sale' includes common, industry-wide technology practices such as cookies." The company said it has "allowed consumers to opt-out of the sale of personal info, including via the Global Privacy Control" since last November.

This article was updated Aug. 24 to include a statement from Sephora.

Latest Bulletins

Mobile game revenue will decline for the first time in history this year, market research firm Newzoo now says in a revised outlook for the 2022 global games market. While the whole game industry is expected to contract by 4.3% — another first since Newzoo began tracking the market in 2007 — the company is predicting a 6.4% decline in mobile game spending on top of a 4.2% decline in console game spending.

Keep Reading Show less

Amazon is planning to lay off thousands of employees, Protocol has learned, ahead of what the company has cautioned will be a slow holiday shopping season.

Keep Reading Show less

Google agreed to pay $391.5 million and make changes to its user privacy controls as part of a settlement with a coalition of 40 state attorneys general. The coalition accused Google of misleading customers about location-tracking practices that informed ad targeting.

Keep Reading Show less

FTX has filed for bankruptcy and the crypto company also announced that founder Sam Bankman-Fried has resigned as CEO.

Keep Reading Show less

Salesforce recently updated its internal policies to make it easier for managers to terminate employees for performance issues without HR involvement, Protocol has learned, a move that comes as the software giant looks to shed as many as 2,500 jobs.

Keep Reading Show less

The Consumer Financial Protection Bureau said fraud and scam reports comprise the top complaint it receives about virtual currencies — and that customers are finding little help from companies when it happens.

Keep Reading Show less

Elon Musk sent his first email to Twitter staff late Wednesday, warning of a difficult economic road ahead and telling employees they need to be in office for a minimum of 40 hours per week. "Sorry that this is my first email to the whole company, but there is no way to sugarcoat the message," he began, ominously.

Keep Reading Show less

Binance isn’t buying FTX after all. The crypto giant said Wednesday it has decided that it “will not pursue the potential acquisition” based on a “corporate due diligence” review.

Keep Reading Show less

On Wednesday, John Kerry unveiled a plan for a new carbon credit program aimed at mobilizing private capital to help middle-income countries transition away from coal and move toward renewable energy.

Keep Reading Show less

Meta announced it was laying off more than 11,000 employees Wednesday morning, slashing jobs in its recruiting department and refocusing its remaining team on AI discovery, ads, and its investment in the metaverse.

"I want to take accountability for these decisions and for how we got here," Mark Zuckerberg wrote in a message to employees that was also posted online. "I know this is tough for everyone, and I’m especially sorry to those impacted."

Keep Reading Show less

Al Gore has one mission this week at COP27, and that’s to give climate negotiators what he hopes will be a critical tool to address the crisis at hand: an independent, global inventory of greenhouse gas emissions, down to the individual facility.

The Climate TRACE coalition just released the world’s most detailed inventory of global greenhouse gas emissions, which Gore, a founding member, is unveiling on Wednesday at the United Nations climate summit in Egypt.

Keep Reading Show less

Way back in March, your friendly Protocol Climate team offered you some tips for writing a climate plan that doesn’t suck. Surely you took that advice. But if for some reason you didn’t, the United Nations has your back.

Keep Reading Show less

Binance CEO Changpeng “CZ” Zhao said Tuesday the crypto powerhouse signed a deal to acquire rival FTX.

Keep Reading Show less

Salesforce is preparing for a major round of layoffs that could affect as many as 2,500 workers across the software vendor, Protocol has learned, in a bid to cut costs amid a new activist investor challenge and harsh economic conditions.

Keep Reading Show less

BlockFi has introduced a new digital assets interest product for accredited investors, after previously agreeing to shut down a yield-paying crypto product that the SEC said was illegal.

Keep Reading Show less

The Justice Department said Monday it seized $3.4 billion worth of bitcoin stolen in the 2012 hack of the Silk Road dark web marketplace.

Keep Reading Show less

U.S. election infrastructure is exceedingly secure, and voter fraud here is so rare it’s comparable to your annual chances of getting struck by lightning. Despite this, former President Donald Trump and a long list of allies in the Republican Party have spent the last two years questioning the overall integrity of the U.S. election system. Many of those allies are now candidates themselves, and their coordinated attack on the country’s status as a democracy is not a relic of 2020. Some have already started repeating these “Big Lie” charges ahead of next week’s midterms. And the social platforms that help them spread their message have prepared few measures to stop it.

Keep Reading Show less

The White House just laid out its climate tech priorities to reach net zero by 2050.

Keep Reading Show less

Coinbase said Thursday that it lost more users in the third quarter. But the decline wasn’t the disastrous drop that Wall Street was expecting, and that sparked a rally in the crypto company’s shares after-hours.

Keep Reading Show less

The Biden administration announced $9 billion in funding Wednesday to improve home efficiency, which could help support the installation of up to 500,000 heat pumps. With winter approaching and utilities warning of gas shortages, there are some major challenges facing the technology that money can be used to tackle.

Keep Reading Show less

Block beat earnings expectations, with strong growth largely fueled by its Cash App business. Traders sent shares up more than 12% after-hours Thursday.

Keep Reading Show less

Stripe is laying off 14% of its staff, its co-founders said Thursday, as the fintech startup must start "building differently for leaner times."

Keep Reading Show less

Roku saw its revenue growth slow in Q3, and warned investors Wednesday that things are about to get worse: “A lot of Q4 ad campaigns are being canceled,” said Roku CEO Anthony Wood during the company’s Q4 earnings call. “We’re seeing lots of big categories pull back. Telecom, insurance … even toy marketers are planning on reducing their spending.”

Keep Reading Show less

Green jobs and corporate climate pledges abound, but skilled sustainability professionals are scarce.

Keep Reading Show less

Robinhood reported a drop in third-quarter revenue but also a narrower loss on Wednesday, in a sign that it might be stabilizing its business as it attempts to recover from a staggering drop in the stock and crypto trading activity that fueled its growth.

Keep Reading Show less
Bulletins