AG Bonta Settles With Sephora Over Online Privacy Allegations

  • California AG Rob Bonta reached a settlement with beauty retailer Sephora to resolve allegations that it violated the California Consumer Privacy Act (CCPA) and the state’s Unfair Competition Law by providing third-party analytics and technology partners with access to users’ personal information without informing consumers. Sephora also allegedly failed to process requests by consumers to opt out of this arrangement via user-enabled global privacy controls (GPC).
  • According to the complaint, a June 2021 enforcement sweep of large retailers revealed that Sephora’s website did not respond to prompts from the GPC, which should signal all e-commerce websites that a consumer did not want their personal information shared. The AG’s office also found further sale-related violations, including failing to inform consumers that their personal information was being sold, failing to provide a “Do Not Sell My Personal Information” link, and failing to process GPC opt-out requests.
  • Under the terms of the settlement, Sephora must comply with the CCPA by, among other things, informing consumers that it sells their personal information, and implement a CCPA compliance program that requires annual reporting to the AG. Sephora will also pay a monetary penalty of $1.2 million.