Although portions of the California Consumer Privacy Act (“CCPA”) and regulations are not yet effective, California Attorney General’s (“AG”) office is not waiting to enforce. As it stands, the CCPA was modified by the California Privacy Rights Act (“CPRA”) and is not in full effect until January 2023. However, the majority of the CCPA is currently in effect and Sephora is the first one to feel it.
According to a complaint filed by AG’s office, Sephora is accused of violating the CCPA by (1) failing to properly notice consumers of collection data; (2) failing to post a “Do Not Sell My Personal Information” link; and (3) failing to respond and process consumer opt-outs via global privacy control signals, such as Global Privacy Control (“GPC”). This case particularly demonstrates what “selling” data means under the CCPA and how businesses should handle GPC.
Is your business “selling” data?
Should GPC signals be honored?
GPC signals allow users to signal their chosen privacy settings to websites and services through their browser. The signal also gives users the ability to opt out of the sharing and sale of their data. There has been much debate on whether a business should honor GPC signals since it has been argued that the CCPA leaves room for businesses to not accept them. As seen with the proposed regulation by the California Privacy Protection Agency (“CPPA”), there has been a push to mandate businesses to acknowledge GPC signals. Based on the AG’s case against Sephora, businesses should be ready to update their software to accept and respond to GPC signals.
The AG’s office has been adamant that Sephora is one of many businesses they are investigating for CCPA compliance. They have held firm that they are not trying to harm businesses and they are providing businesses guidance through the 30-day opportunity to cure. Nevertheless, they will enforce the CCPA to its full effect if there are any violations. Therefore, if you have a covered business under the CCPA you should reach out to a privacy professional to ensure you have an effective privacy compliance program tailored to your business.