register now
Sephora Fined $1.2M Under CCPA
Beauty retail enterprise Sephora is yet another major business that has been in violation of the California Consumer Privacy Act. What’s next for businesses that deal with data?
In order to settle complaints from the California Attorney General that the cosmetics company had broken the state's consumer privacy legislation, Sephora USA Inc. has agreed to pay $1.2 million.
Privacy rights are being safeguarded by the Attorney General's most recent action against Sephora. It's not only about conventional data brokering: If handled carelessly, any personal information gathered by online monitoring tools may breach the CCPA's Do Not Sell compliance rules.
The AG is speaking out and declaring that it is no longer acceptable for businesses to freely utilize people's data for financial advantage – without providing them with a way to opt-out. Customers should be informed that when website owners employ free or heavily subsidized analytics and advertising services, their data is being "sold." To stop this type of data-for-value exchange, they need to be provided explicit information and a choice. The AG has conducted many sweeps, including this one. Before the CPRA takes effect in 2023, further penalties should be announced during the upcoming months.
In this guide, we’ll take a look at the case against Sephora and why business owners need to start working on their CCPA compliance now before the regulations go into effect next year.
Attorney General Rob Bonta's office released a statement in August claiming that Sephora failed to inform customers that the business sells personal information gathered on its website and did not honor requests to opt-out of sales made through user-configured privacy measures.
The agreement is the first public enforcement action under the California Consumer Privacy Act, and it requires the cosmetics company Sephora to abide by its terms. Court permission is required for the agreement.
In a statement, Sephora said that it has worked with the attorney general's office and that its business procedures are in in compliance with the CCPA. The business has stated that it is crucial to remember that Sephora only utilizes data for Sephora experiences. The business claimed that as part of the California agreement, it did not accept culpability.
According to Bonta's complaint, which his office made public on Wednesday, the corporation let third parties track information including users' geolocation and the goods in an online shopping cart in return for targeted adverts and analytics services.
What does this recent occurrence mean for typical company owners, then? The deal between Sephora and the AG's office, in the Attorney General's opinion, sends a clear message to companies who continue to disregard California's consumer privacy statute. As such, it’s more important than ever for organizations to begin improving their data privacy processes to become compliant with the CCPA.
A state-wide data privacy legislation known as the California Consumer Privacy Act (CCPA) governs how companies from all over the globe are permitted to handle the personal information (PI) of California citizens. The CCPA went into force on January 1st, 2020. It is the country's first statute of its sort.
Businesses should be concerned about the CPRA, an extension of the CCPA. The California Privacy Rights Act (or CPRA) adds certain additional privacy protections while also extending the rights given to Californians under the CCPA. On January 1st, 2023, the CRPA will go into force.
The CCPA has been updated by the CPRA in the following ways:
Similar to the CCPA, the CPRA is applicable to for-profit organizations conducting business in California that also gather personal data from residents of California and fulfill other requirements. Noting that the CPRA has amended these threshold standards, it will be crucial for businesses to determine whether they meet the new thresholds, which include:
The CPRA also places new demands on businesses, such as the need to pass deletion requests not only to service providers but also to contractors and other third parties with whom the businesses have shared or sold information, as well as requirements for data minimization, retention, and purpose limitation. Additional clauses that must be included by enterprises in their agreements with service providers, contractors, and other third parties are also required by law. Increased auditing requirements, such as yearly cybersecurity audits and frequent risk assessments sent to the new enforcement agency, are anticipated to result from regulations adopted under the bill. The CPRA also explains how the anti-discrimination sections of the legislation affect loyalty programs and push back the CCPA's sunset clauses for the employee exemption and business-to-business exception until January 1, 2023.
The CPRA increases fines for offenses involving kids under the age of 16 and strengthens enforcement by eliminating the CCPA's current mandated 30-day cure time for enterprises. Additionally, the legislation broadens the categories of data breaches that are covered by the data breach private right of action to include data breaches involving a username, email address, and a password or security question and answer that would allow access to an online account.
Only infractions that happen on or after July 1st, 2023 will be subject to the CPRA's enforcement. Businesses must maintain flexibility in order to adapt their compliance practices in light of continuing regulation action.
Without a system in place to monitor and comply with opt-out requests like "Do Not Sell," your business runs the danger of being held financially liable as well as losing the trust of customers, which will result in a reduction in sales.
Fortunately, maintaining CCPA and CPRA compliance is not too challenging. Simply audit your current compliance procedures, then put the following suggestions into practice:
Furthermore, businesses that deal with a significant amount of personal consumer data could benefit from a third-party platform like Data Sentinel to help automate their data trust processes. Data Sentinel’s platform can help your organization reduce sensitive data risks, comply with the CCPA and CPRA (as well as other relevant data regulations), manage overall data governance and data quality, and fix existing data roadblocks. Managing data and staying compliant can often be a challenge for organizations that deal with large data holdings, but platforms like Data Sentinel can make managing that data and staying compliant as efficient as possible.
In order to settle complaints from the California Attorney General that the cosmetics company had broken the state's consumer privacy legislation, Sephora USA Inc. has agreed to pay $1.2 million.
Privacy rights are being safeguarded by the Attorney General's most recent action against Sephora. It's not only about conventional data brokering: If handled carelessly, any personal information gathered by online monitoring tools may breach the CCPA's Do Not Sell compliance rules.
The AG is speaking out and declaring that it is no longer acceptable for businesses to freely utilize people's data for financial advantage – without providing them with a way to opt-out. Customers should be informed that when website owners employ free or heavily subsidized analytics and advertising services, their data is being "sold." To stop this type of data-for-value exchange, they need to be provided explicit information and a choice. The AG has conducted many sweeps, including this one. Before the CPRA takes effect in 2023, further penalties should be announced during the upcoming months.
In this guide, we’ll take a look at the case against Sephora and why business owners need to start working on their CCPA compliance now before the regulations go into effect next year.
Attorney General Rob Bonta's office released a statement in August claiming that Sephora failed to inform customers that the business sells personal information gathered on its website and did not honor requests to opt-out of sales made through user-configured privacy measures.
The agreement is the first public enforcement action under the California Consumer Privacy Act, and it requires the cosmetics company Sephora to abide by its terms. Court permission is required for the agreement.
In a statement, Sephora said that it has worked with the attorney general's office and that its business procedures are in in compliance with the CCPA. The business has stated that it is crucial to remember that Sephora only utilizes data for Sephora experiences. The business claimed that as part of the California agreement, it did not accept culpability.
According to Bonta's complaint, which his office made public on Wednesday, the corporation let third parties track information including users' geolocation and the goods in an online shopping cart in return for targeted adverts and analytics services.
What does this recent occurrence mean for typical company owners, then? The deal between Sephora and the AG's office, in the Attorney General's opinion, sends a clear message to companies who continue to disregard California's consumer privacy statute. As such, it’s more important than ever for organizations to begin improving their data privacy processes to become compliant with the CCPA.
A state-wide data privacy legislation known as the California Consumer Privacy Act (CCPA) governs how companies from all over the globe are permitted to handle the personal information (PI) of California citizens. The CCPA went into force on January 1st, 2020. It is the country's first statute of its sort.
Businesses should be concerned about the CPRA, an extension of the CCPA. The California Privacy Rights Act (or CPRA) adds certain additional privacy protections while also extending the rights given to Californians under the CCPA. On January 1st, 2023, the CRPA will go into force.
The CCPA has been updated by the CPRA in the following ways:
Similar to the CCPA, the CPRA is applicable to for-profit organizations conducting business in California that also gather personal data from residents of California and fulfill other requirements. Noting that the CPRA has amended these threshold standards, it will be crucial for businesses to determine whether they meet the new thresholds, which include:
The CPRA also places new demands on businesses, such as the need to pass deletion requests not only to service providers but also to contractors and other third parties with whom the businesses have shared or sold information, as well as requirements for data minimization, retention, and purpose limitation. Additional clauses that must be included by enterprises in their agreements with service providers, contractors, and other third parties are also required by law. Increased auditing requirements, such as yearly cybersecurity audits and frequent risk assessments sent to the new enforcement agency, are anticipated to result from regulations adopted under the bill. The CPRA also explains how the anti-discrimination sections of the legislation affect loyalty programs and push back the CCPA's sunset clauses for the employee exemption and business-to-business exception until January 1, 2023.
The CPRA increases fines for offenses involving kids under the age of 16 and strengthens enforcement by eliminating the CCPA's current mandated 30-day cure time for enterprises. Additionally, the legislation broadens the categories of data breaches that are covered by the data breach private right of action to include data breaches involving a username, email address, and a password or security question and answer that would allow access to an online account.
Only infractions that happen on or after July 1st, 2023 will be subject to the CPRA's enforcement. Businesses must maintain flexibility in order to adapt their compliance practices in light of continuing regulation action.
Without a system in place to monitor and comply with opt-out requests like "Do Not Sell," your business runs the danger of being held financially liable as well as losing the trust of customers, which will result in a reduction in sales.
Fortunately, maintaining CCPA and CPRA compliance is not too challenging. Simply audit your current compliance procedures, then put the following suggestions into practice:
Furthermore, businesses that deal with a significant amount of personal consumer data could benefit from a third-party platform like Data Sentinel to help automate their data trust processes. Data Sentinel’s platform can help your organization reduce sensitive data risks, comply with the CCPA and CPRA (as well as other relevant data regulations), manage overall data governance and data quality, and fix existing data roadblocks. Managing data and staying compliant can often be a challenge for organizations that deal with large data holdings, but platforms like Data Sentinel can make managing that data and staying compliant as efficient as possible.
Ready To Discuss Your Data Challenges?