Skip to main content

First California AG Enforcement Action Under CCPA – And It’s a Big One

California Attorney General Rob Bonta has announced a major settlement under the California Consumer Privacy Act (CCPA), and it will cost Sephora, Inc. a whopping $1.2 million in penalties.  According to the release from Bonta’s office, the settlement arose from an enforcement sweep against online retailers during which the AG’s office alleged that Sephora failed to disclose to consumers that it was “selling” their personal information (as defined under the CCPA) and that it failed to process user requests to opt out of any sale, including those received via the Global Privacy Control (GPC).   The complaint stated that Sephora was notified on June 25, 2021 of the alleged violations of the CCPA and thus had 30 days to cure.  According to the complaint, “by July 26, 2021, Sephora had failed to take any of the following steps:

·         Sephora failed to update its privacy policy to tell consumers that Sephora sells their personal information to third parties and that consumers have the right to opt-out of that sale;

·         Sephora failed to post a “Do Not Sell My Personal Information” link on its website and homepage;

·         Sephora failed [to] respond to process consumer opt-outs via the GPC.”

In addition to the imposition of the $1.2 million penalty (which goes to the Consumer Privacy Fund as provided in the CCPA), the settlement agreement includes obligations on Sephora to report to the AG on an annual basis and (1)  implement and maintain a program to assess and monitor its processing of opt-out requests along with an analysis of any errors or technical problems encountered in processing opt-outs via GPC and steps taken to remediate or fix; and (2) conduct a regular review of its website and mobile applications and document names of entities to which Sephora makes personal information available, the purpose for sharing, and whether they are “service providers,” along with other requirements.   The first report will be required to be filed within 180 days of the effective date of the settlement agreement and for 2 years thereafter.

Sephora updated its “California Residents” privacy policy as of August 10, 2022. 

Pay attention to your email boxes:  in addition to announcing the Sephora settlement, AG Bonta also said that his office today sent notices to “a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC.”   Businesses that receive letters today have 30 days to cure the alleged violations or face the same fate as Sephora – enforcement action from the AG’s office. 

If you have any questions about your CCPA compliance program, or need to get one implemented, contact the Mintz Privacy Team.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.