California Attorney General Rob Bonta had determined that Sephora failed to disclose to consumers that it was selling their data, failed to process users' requests to opt out of the sale via user-activated global privacy controls in violation of the Californian equivalent of the EU’s General Data Protection Regulation, and failed to remedy these violations within the 30-day period currently allowed by the CCPA.
I hope today's settlement sends a strong message to companies.
"TTechnologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale,” Bonta said . “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses."
According to the complaint, Sephora, notified in June 2021, had not made any changes in the 30 days given by the Attorney General until this decision to come into compliance.
The group will likely quickly recover from this bad publicity, having achieved record sales in 2021 at more than $10bn.
This story was first published in French on . It has been translated and edited for Delano.