Last August, California authorities reached a settlement with cosmetics giant Sephora Inc., to settle allegations of violations of the California Consumer Privacy Act (CCPA), California’s consumer data protection legislation. Indeed, investigations conducted by Attorney General Rob Bonta had found serious indications of critical issues in relation to the duty of transparency to consumers and the handling of requests to opt out of data sales.
Privacy, gli Usa verso una svolta: novità e sviluppi nella legge e nella cultura
CCPA regulations
The CCPA applies to all companies doing business in California that meet at least one of the following conditions: annual revenue of more than $25 million; purchase, receipt or sale of personal information relating to at least 50,000 residents, households or devices; or derivation of 50% of annual revenue from the sale of personal information referable to California residents. The Act, implemented in 2018, is designed to give California consumers a strong control over personal information collected and shared by businesses, in order to regulate the processes of buying and selling personal information and ensure that the rights of data subjects are respected.
Among the most relevant provisions of the CCPA are, in particular, a duty of transparency on the part of businesses to consumers, who will have to be informed, before or at the time of the collection of their data, about the purposes for which the data will be used-as well as specific provisions in relation to the sale of data.
For example, companies are required to ensure that data subjects have the right to opt-out from the sale of their personal data, as to say, the ability to request the termination of the sale. Following a request to opt-out, it is also stipulated that companies must wait at least 12 months before asking the customer to provide their consent to the sale.
The CCPA also requires the provision of a “Do Not Sell My Personal Information“ link on the corporate websites of businesses required to comply with the regulations; this link must be located in an easily accessible section of the webpage, and it must enable users to send opt-out requests. To comply with the CCPA’s requirements, the process of filling out and sending such a request should not require the creation of an account, nor verification of the customer’s identity. In addition, opt-out must also be made possible through the global privacy control function that can be enabled by the user through browsers or extensions.
The Sephora case and the violations noted by the Attorney General’s Office
The Attorney General’s charges stem from a series of sweeping audits, conducted on retail sites and aimed at verifying their compliance with CCPA requirements. From the outcome of the investigation, according to the Attorney General’s Office, it emerged that Sephora failed to properly inform consumers about the sale of their data. In fact, the notice addressed to California customers merely made them aware of the sharing of certain information with third parties – indicating that the data would not be sold, a circumstance that turned out to be untrue.
It also allegedly failed to adequately ensure that data subjects had access to the appropriate tools to withdraw the consent for the sale – such as, for example, a user-friendly link, easy to find and to recognize on the website and app. Finally, Sephora allegedly deliberately neglected to handle requests from data subjects to withdraw consent for the sale, in violation of applicable privacy laws.
On 25th June 2021, the Attorney General’s Office had notified the company of the opening of the investigation, warning it of the potential violation of regulations and suggesting remedial action within 30 days. However, in the following month, Sephora failed to implement the necessary remediation.
The agreement
Last August 24, the California Attorney General’s Office announced that it had reached an agreement to settle the dispute, which was opened with the company Sephora Inc. following allegations of violations of the California Consumer Privacy Act and the Unfair Competition Law. This agreement calls for Sephora to pay a fine of $1.2 million, as well as to clarify its data policies, make appropriate opt-out mechanisms available to consumers, conform its agreements with service providers to ensure compliance with CCPA requirements, and produce reports to the Attorney General himself.
Further Considerations
California’s consumer data protection legislation has many similarities with the European Data Protection Regulation, although overall the former’s provisions are less protective than those of the GDPR. The Sephora case, the first concerning the application of the CCPA, is an important step toward an approach similar to the one adopted by the European Union, as to say, the implementation of strong measures to protect data subjects and compliance.
Special attention will therefore have to be paid by all Companies that fall within the scope of the CCPA, directly or through local subsidiaries. Where websites accessible to California users have a “GDPR-based” setting, it will be enough to:
- Integrate them with a link or section bearing the statement “Do Not Sell My Personal Information“, which should be easily accessible to all users and must allow them to exercise, by clicking on it, their right to object to the sharing or the sale to third parties of their personal information; and
- provide its users with appropriate information in connection to the activities of sharing or selling to third parties the personal data collected by the site, such as, but not limited to, the categories of personal data that they have collected, the categories of personal data that the company has sold and/or disclosed, and the categories of third parties to whom such information was sold (Article 1798.115. CCPA).
In fact, processing activities for the purposes of marketing, profiling, sharing and/or selling data to third parties require the user’s consent under the GDPR (with specific exceptions), and are therefore based on an opt-in system, opposite to that provided for under the CCPA. In other words, European legislation requires the prior (free, specific, informed, and unambiguous) consent of users to proceed with communication or transfer to third parties.
If, on the other hand, the management of sites is differentiated at a local level, it will be necessary to align the contents of the websites, in terms of transparency for users and of safeguards for the rights under the CCPA.
