Sephora must pay a $1.2 million fine, inform California customers that it is selling their personal information, and offer them ways to opt out.
International cosmetics giant Sephora is the first company to be publicly fined for violating California’s Consumer Privacy Act. In a press release sent on WednesdayOn August 24, California Attorney General Rob Bonta announced a settlement with Sephora over allegations that it violated the CCPA, requiring the company to pay $1.2 million in fines and comply with certain conditions.
Following its investigation, the California Attorney General’s office said it found that Sephora had failed to tell customers it was selling their personal information, failed to process requests from users who opted out of the sale of their data, and did not solve these problems. violations within the 30-day time limit permitted by the CCPA.
Passed in 2018, the CCPA is designed to give consumers specific rights over the use and sale of their personal information by companies doing business in California. The regulations provide that consumers have the right to know what data a company collects about them and how their data is used and shared. They have the right to delete the data collected about them, with certain exceptions. And they have the right to opt out of the sale of their personal information.
Businesses Face Consequences for Violating the CCPA
In addition to agreeing to pay the $1.2 million fine, Sephora must pursue other remedies. The company must clarify its online privacy policy to indicate that it sells personal data. It should also provide opportunities for consumers to opt out of the sale of their data. as well as modify its service provider agreements to meet CCPA requirements. And the company must provide reports to the California Attorney General’s Office regarding its sales of personal information, the status of its service provider relationships, and its efforts to Specification Global Privacy Control (GPC).
As a sign that California is taking CCPA seriously, Attorney General Bonta also directed a number of other companies to violate the regulation, most notably by not honoring consumer opt-out requests made through privacy controls such as the GPC. Available through web browsers, GPC allows users to opt out of all online sales by broadcasting a “don’t sell” signal to every website they visit. The companies that have received notices of their violations must resolve the complaint within 30 days, otherwise the Attorney General’s office must take action.
TO SEE: How to choose the right data privacy software for your business (TechRepublic)
“The recent fine imposed by Sephora by the state of California is a brutal wake-up call for organizations that fail to take rapidly evolving data privacy regulations seriously,” said Jeff Sizemore, chief governance officer at security and compliance firm Egnyte. “In particular, companies must: 1) have effective processes in place to handle opt-out requests; 2) Manage consumer requests made through global privacy control technology; 3) Inform consumers when their data is sold; and 4) keep their privacy policies up to date.”
Changes to the privacy policy to provide greater transparency
Sizemore also advised companies doing business in California, Virginia, Colorado, Utah or Connecticut to prepare for: new and updated legislation to come into force in 2023.
“Sephora fined should remind organizations to review privacy policies with employees and conduct compliance audits,” said Sam Humphries, EMEA chief of security strategy for cybersecurity firm Exabeam. “This can reassure skeptical employees and consumers that their accounts will be protected and their privacy maintained, while also protecting organizational data.”
Humphries advised companies to be transparent about their data monitoring and create policies for employees that are easily accessible through paper or digital training. The policy should avoid complicated jargon and direct employees to an appropriate contact person to answer any questions.
Furthermore, Humphries suggested that even organizations that are not required to comply with data privacy regulations, such as CCPA, should ask themselves the following five questions to guide their data protection:
- Is your data monitoring lawful, fair and transparent?
- Will the personal data you collect be used for a specific purpose?
- Do you take all reasonable steps to delete or correct inaccurate or incomplete data?
- Do you delete personal data as soon as you no longer need it?
- Is the data you collect properly secured?
