Sephora fined $1.2M in first CCPA enforcement

International cosmetics retailer Sephora has become the first company to be penalized under the California Consumer Privacy Act (CCPA). The cosmetics has agreed to pay $1.2M to settle allegations. California Attorney General Rob Bonta alleged that Sephora failed to: 

• disclose to consumers that it was selling their personal information
• process user requests to opt-out of sale via user-enabled global privacy controls in violation of the CCPA
• and that it did not cure these violations within the 30 days currently allowed by the CCPA

In addition to the $1.2M fine, the retailer must also: 

• Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data;
• Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control;
• Conform its service provider agreements to the CCPA’s requirements; and
• Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.

‍