Businesses barely had time to recover from a hectic privacy summer, with U.S. privacy legislation making progress on the Hill and the U.S. Federal Trade Commission’s launch of a sweeping rulemaking initiative, when California Attorney General Rob Bonta dropped a bombshell: The first enforcement settlement under the California Consumer Privacy Act. Pursuant to the settlement, Sephora, a French cosmetics brand, will pay $1.2 million in fines and abide by a set of compliance obligations. The attorney general alleged Sephora failed to disclose to consumers it was selling their personal information; failed to honor user requests to opt out of sale via user-enabled global privacy controls; and did not cure these violations within the 30-day period allowed by the law.
At issue in the case was Sephora’s sharing of information with third-party advertising networks and analytics providers, both commonplace practices among publishers. For companies doing business in California and preparing for the California Privacy Rights Act activation in January 2023, this case marks a considerable uptick in risk. It signals the attorney general’s focus on online tracking and on implementation of and compliance with global opt-out signals, such as the Global Privacy Control.
In a news release announcing the settlement, Bonta warned, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. … There are no more excuses.” In addition, the office announced it sent notices to a number of businesses “alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC.”
Here are several observations about the decision:
- Choice of defendant. Perhaps symbolically, the attorney general’s first enforcement action comes not against one of the many technology companies based in the state, but rather against a French fashion brand. With European privacy regulators laser-focused on Silicon Valley, the California regulator picked a case against Champs-Elysées.
- Consumer surveillance. In its news release, the office states, …
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
