The first CCPA enforcement action – Do not sell and GPC


Sephora received the first enforcement action under the California Consumer Privacy Act (CCPA) from the California Attorney General (AG) office, due to their failure to notify consumers about the sale of their personal information using online tracking technologies, provide consumers a method to opt-out of those sales, and process opt-outs through user-enabled privacy signals like Global Privacy Control (GPC). Sephora failed to cure these violations within the 30-day cure period allowed under the CCPA.


The settlement included a $1.2 million dollar fine and requires Sephora to make operational improvements along with two years of annual reporting to the AG that includes details about sale of personal information, review of service provider relationships and contracting, and efforts to honor privacy signals like GPC.


The AG emphasized that it hopes it “sends a strong message” and that the “right to avoid liability by curing CCPA violations after they are caught is expiring.” The AG’s statements are an important reminder that the right for organizations to receive notice of non-compliance and cure within 30 days will expire on January 1, 2023.


The settlement demonstrates the AG's focus on the sale of data through online tracking technologies, and honoring user-enabled privacy signals. With the updated requirements under the California Privacy Rights Act (CPRA) and the focus on streamlined opt-out practices, it is critical for companies to have a robust cookie management program to track, inventory, classify, and effectuate opt-outs.


What you need to do


  1. Review cookie management practices.
    Companies should confirm that they have a systematic process in place to routinely perform cookie scans, inventory cookies, classify cookies and support “frictionless” opt-outs as required.
  2. Confirm user-enabled privacy controls (like GPC) are enabled on all domains.
    GPC and other preference signals can be implemented, leveraging built-in functionality within your cookie management platform or by implementing code on all relevant domains (like using spec developed by the GPC coalition).
  3. Review practices to assess potential sales and sharing of personal information, with a focus on online tracking technologies.
    Confirm that you have documented all sharing of personal information, classified each as a sale or service provider relationship, and documented the rationale for the classification. Companies should also establish an ongoing process to review the data sharing relationships and associated contractual terms and monitor for changes across the business that could impact your legal position.
  4. Review notices and cookie banners.
    Confirm any sale of personal information is clearly communicated through privacy notices and cookie banners and implemented across all collection points, including the use of privacy signals.
  5. Be ready for increased CCPA enforcement.
    With the cure period expiring, companies should review compliance with CCPA ahead of January 1, 2023, while working towards preparing for the new requirements under CPRA.




Our privacy and data protection insights