Beauty retailer Sephora was fined $1.2 million by California Attorney General Rob Bonta and is the first-ever California Consumer Privacy Act enforcement action. At the heart of the matter is Sephora allegedly misrepresenting its actions to California consumers (saying that it did not sell consumer personal information despite the fact it engaged in targeted advertising, thereby “selling” data to third-party companies) and failing to provide for or recognize global opt-outs “including … the Global Privacy Control.” Nowhere on their website or app did it clearly list a “Do Not Sell My Personal Information” link. This means Sephora sold the data of users who legally opted out via a global privacy setting.
The various information that Sephora tracked and sold without proper disclosure or opt-out capability included geolocation and network activity with both analytics partners and advertisers. Sephora allegedly gave this information in exchange for analytical or advertising services. The retailer was not covered by any exemptions to user consent, as they had no valid third-party service provider contracts.
This enforcement is a case study in noncompliance, how marketing and privacy intersect, and what companies should do to avoid the glare of the attorney general. Before understanding what companies should be doing to avoid a similar enforcement action, it’s important to understand how privacy laws such as the California Consumer Privacy Act now interpret targeted advertising as a sale of data.
Consumers care about privacy
A recent 2022 Integral Ad Sciences report found 99% of consumers “agree that privacy is important while browsing online.” Sixty-seven percent of consumers agree that “they are more vigilant about their online data and privacy than ever before.” Meanwhile, “68% of consumers are uncomfortable with their online data being used for advertising purposes.”
There is often a pull between marketing and privacy. A marketer’s job is to help promote the brand, attract new customers and inform current customers about all the products and services they should purchase.
In our increasingly busy lives, marketing is about targeting the right audience. In the $72 billion direct mail advertising market, it has been a practice for years that data is purchased from entities such as data brokers and credit card companies — I’ve even had direct mail marketers say the lists are shared amongst themselves so that retailers can send hopefully the right catalog to just their ideal customer.
Internet marketing has gone through many iterations, starting with placing basic ads on a website (here’s a fun flashback to internet ads including popups) to the late 2000s era of aggregating websites into ad networks. This aggregation allowed advertisers to once again target ads to their ideal demographic.
As the adtech ecosystem matured with more complex measurement and targeting tools, a single tag eventually could house multiple tags, and pixels would drop multiple cookies on users’ computers. These pixels were originally referred to in the advertising industry as “non-personally identifiable information” and were shared amongst hundreds of companies, which in turn built profiles or algorithms. A classic example: A Facebook pixel drops on a publisher’s site. The publisher shares this data back to Facebook. Facebook adds it to its algorithm. The publisher runs a targeted campaign on Facebook based on the people who visited their site and engaged with the Facebook ad.
When a company gives information such as geolocation, browsing and networking activity in exchange for analytical or advertising services, California clearly says it will be treated as a sale as this was an exchange for other valuable consideration.
Sale within the context of the CCPA is defined as:
“… Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration under its definition of sharing of data for other valuable consideration.”
Opt-outs and Global Privacy Control
While cookie banners have been around for a while (thank you, 2011 ePrivacy Directive), the EU General Data Protection Regulation made them popular. The philosophy behind the cookie banner is to inform customers about the type of cookies placed on a website, for what purpose, and to allow the individual choice over cookies. There’s been discussion that the cookie banner has backfired. In its current state, it is cumbersome to accept or reject on each individual website. Cookie banners are not the best user experience and most consumers don’t have a clue about any of the adtech vendors are to make an informed decision to opt-in or opt out.
Global Privacy Control is a new alternative to let consumers exercise control at the browser level and is supposed to help in the long-term with cookie banner overload. Several of the state attorneys general offices, including California, have stated that they expect companies to adhere to the GPC. In the California attorney general’s press release on the Sephora fine, specific mentions of the GPC state the expectation of its implementation.
Why some companies don’t agree..
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
