SACRAMENTO, California — Sephora Inc., one of the world’s largest cosmetics retailers, has settled a lawsuit alleging the company sold customer information without proper notice in violation of California’s historic consumer privacy law, Attorney General Rob Bonta said Wednesday.
Sephora did not tell customers that it was selling their personal information, did not allow customers to opt out of that sale, and did not resolve the issue within 30 days as required by law, even after being notified of the violation, state officials said.
The company agreed to pay $1.2 million and immediately correct the issue under the settlement, the state’s first such enforcement action under the California Consumer Privacy Act, according to Bonta.
Sephora said it is already in compliance with state law after working with Bonta’s office.
“Data is power, and nowadays everyone wants it,” Bonta said.
“Some of the most intimate details about your life are harvested,” he said. “The more data a company has about you, the more power they have over you, the more they can target you to buy their goods and services.”
But state law gives consumers a way to block that collection and sale.
The law was passed by state lawmakers in 2018 and expanded by voters in 2020. It gives California, home to Silicon Valley, what is seen as the strongest U.S. data privacy law, and gives consumers the right to know what information companies collect about them online, to have that data deleted, and to opt-out. selling their personal information.
Bonta’s office has warned more than 100 companies that they were not following the rules and sent out more than a dozen new notices on Wednesday. The “vast majority” complied, he said, but not Sephora, which sells cosmetics, perfumes, beauty and skin care products in 2,700 stores in 35 countries.
“Their actions compared to others were blatant,” he said, saying the settlement should serve as a warning to other companies that are not adhering to the rules.
The company admitted no liability or misconduct under the terms of the settlement. The company was founded in France and has its US headquarters in San Francisco.
In the settlement, Sephora agreed to clarify its website disclosures and privacy policy to tell customers it is selling their data, and allow them to opt out of those sales — steps it says it has already taken. It will file reports with Bonta’s office regarding the sale of personal information and its compliance with the law.
Sephora said in a statement that the company “respects consumer privacy and is committed to being transparent about how their personal information is used to improve their Sephora experience.” It said it will allow customers to opt out of the sale of personal information from November 2021.
The company said its tracking will allow it to “provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and advertising,” but customers can now easily opt out of this personalized shopping experience.
Sephora allowed third-party companies to install tracking software that allowed them to build detailed consumer profiles that would help them better target customers, Bonta said. But on its website, it promised “we will not sell any personal information,” the lawsuit said.
The 30-day grace period for companies that violate the law ends next year, when companies must comply with the law without warning.
Also next year, Bonta’s office will share enforcement responsibility with a new California Privacy Protection Agency. The agency is taking public comments this week on proposed privacy rules as part of the 2020 expansion.
“There’s definitely overlap,” Bonta said, but “multiple watchdogs around the neighborhood standing up for consumers, standing up for their privacy, making sure data decisions are in their hands and their data isn’t being sold or misused against their wishes is a good thing.” case and we are excited about that.”
Bonta and other California officials also want to make sure that the strict state law is not undermined, as the federal government considers what are likely less stringent state standards.
The executive director of the state’s new privacy agency this month sent a letter to house speaker Nancy Pelosi and minority leader Kevin McCarthy, both of California, warning that a version under consideration in the House would replace California’s protections with weaker protections. Governor Gavin Newsom and the state assembly speaker are among others who have objected.
Bonta said California law would not be affected as long as Congress makes its standards “a floor, not a ceiling.” That they don’t prejudge the incredible privacy protections, industry-leading privacy protections that we have here in California.”
The Federal Trade Commission said this month it will also consider new rules.
Copyright 2022 ABC NEWS. All rights reserved.
Follow WT LOCAL on Social Media for the Latest News and Updates.
Share this news on your Facebook,Twitter and Whatsapp.
