The Sephora case: Do not sell – But are you selling? - International Association of Privacy Professionals

Category: Selling Online News
Original source: International Association of Privacy Professionals
Read time: < 6 minutes
Sentiment bias: Positive
Sentiment Score: 0.99761
Published: Aug 30th, 2022
The Sephora case: Do not sell – But are you selling? - International Association of Privacy Professionals

Quick Read

Federal Trade Commission’s launch of a sweeping rulemaking initiative, when California Attorney General Rob Bonta dropped a bombshell: The first enforcement settlement under the California Consumer Privacy Act.
The attorney general alleged Sephora failed to disclose to consumers it was selling their personal information; failed to honor user requests to opt out of sale via user-enabled global privacy controls; and did not cure these violations within the 30-day period allowed by the law.
It signals the attorney general’s focus on online tracking and on implementation of and compliance with global opt-out signals, such as the Global Privacy Control.
Perhaps symbolically, the attorney general’s first enforcement action comes not against one of the many technology companies based in the state, but rather against a French fashion brand.
Much like Chair Lina Khan’s FTC, which used the term extensively in its Advance Notice of Proposed Rulemaking, the attorney general is making an implicit value judgment in just naming data practices, which for now, at least, are run of the mill, as menacing “surveillance,” a term typically associated with national security agencies.

The Sephora case: Do not sell – But are you selling? - International Association of Privacy Professionals

Businesses barely had time to recover from a hectic privacy summer, with U.S. privacy legislation making progress on the Hill and the U.S. Federal Trade Commission’s launch of a sweeping rulemaking initiative, when California Attorney General Rob Bonta dropped a bombshell: The first enforcement settlement under the California Consumer Privacy Act. Pursuant to the settlement, Sephora, a French cosmetics brand, will pay $1.2 million in fines and abide by a set of compliance obligations. The attorney general alleged Sephora failed to disclose to consumers it was selling their personal information; failed to honor user requests to opt out of sale via user-enabled global privacy controls; and did not cure these violations within the 30-day period allowed by the law. At issue in the case was Sephora’s sharing of information with third-party advertising networks and analytics providers, both commonplace practices among publishers. For companies doing business in California and preparing for the California Privacy Rights Act activation in January 2023, this case marks a considerable uptick in risk. It signals the attorney general’s focus on online tracking and on implementation of and compliance with global opt-out signals, such as the Global Privacy Control. In a news release announcing the settlement, Bonta warned, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. ... There are no more excuses.” In addition, the office announced it sent notices to a number of businesses “alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC.” Here are several observations about the decision: Choice of defendant. Perhaps symbolically, the attorney general’s first enforcement action comes not against one of the many technology companies based in the state, but rather against a French fashion brand. With European privacy regulators laser-focused on Silicon Valley, the California regulator picked a case against Champs-Elysées. Consumer surveillance. In its news release, the office states, “The settlement with Sephora underscores the critical rights that consumers have under CCPA to fight commercial surveillance.” The use of the term “commercial surveillance” is illuminating. Much like Chair Lina Khan’s FTC, which used the term extensively in its Advance Notice of Proposed Rulemaking, the attorney general is making an implicit value judgment in just naming data practices, which for now, at least, are run of the mill, as menacing “surveillance,” a term typically associated with national security agencies. The use of the term also suggests an emphasis on practices that involve tracking consumers across websites and services. Importantly, however, the CCPA places responsibility for such “surveillance” in the hands of businesses, like Sephora, that interact directly with consumers, rather than the third parties that receive and aggregate information from multiple sources. GPC, GPC, GPC. In a one-page news release, the attorney general mentioned Global Privacy Control 10 times. Bonta began his statement by saying, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights.” Clearly, the attorney general is intent on motivating businesses to implement the GPC as a one-stop-shop opt-out of data sales. Recall that a global opt-out mechanism wasn’t even mentioned in the CCPA, but rather appeared first in regulations thereunder. And that the attorney general first called for adherence with GPC in an online FAQ published in July 2021. Even the language of CPRA remains exceedingly vague with respect to the recognition of global opt-out signals, allowing businesses to voluntarily comply with “an opt-out preference signal sent with the consumer's consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations” as an alternative to offering a “do not sell or share” link (rather than in addition to such a link). At the same time, the draft CPRA regulations suggest the California Privacy Protection Agency will also require businesses to comply with GPC signals even if they offer a “do not sell or share” link. Increasing emphasis on the GPC will inevitably raise questions about whether browsers can bake the GPC in by default or whether instead consumers will have to take an affirmative action to enable the signal. And, if use of the GPC becomes common, businesses will undoubtedly complain that the GPC converts an opt-out law into one that operates more like an opt-in. Be that as it may, the attorney general issued an unambiguous statement: publishers doing business in the state must honor GPC, or else... But was it a sale? The case against Sephora turns on whether the company “sold” users’ personal information, as that term is defined in CCPA to mean trading personal information for valuable consideration. If Sephora sold personal information and failed to provide a “do not sell” link or to honor “do not sell” requests, it violated the law. But did it sell? The complaint alleged Sephora had third-party trackers on the site for analytics, ad serving and retargeting purposes. However, a critical question remains unanswered, namely whether those third parties were Sephora’s “service providers.” The attorney general took the position that sharing data with a vendor in exchange for analytics or ad serving is a “sale” because Sephora “gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits,” including “the valuable option to serve targeted s to the same shopper on the analytics provider’s advertising network.” But these same practices are often positioned as service provider arrangements where a business procures an analytics or ad targeting service on its own behalf. (In other words, rather than “selling” data, the business is buying a service). In this vein, Bonta suggested the alleged “sale” could have been cured by having “valid service-provider contracts in place with each third party;” but in the same breath alleged that “data about consumers is frequently kept by companies and used for the benefit of other businesses.” Importantly, publishers should take note that in order to prove that a vendor is a service provider under the CCPA, a business must put in place a service provider contract. Analytics services. While not mentioning any third-party provider by name, the complaint states “Sephora installed one widely-used analytics and advertising software package that let the analytics provider gather and keep personal information about an online shopper’s activities. The analytics provider then gave Sephora data about what shoppers did on its website or in its app, like how many people looked at a particular product. The analytics provider also would determine who the shopper was, using extensive data gathered from other sources, and then present Sephora with the valuable option to serve targeted s to the same shopper on the analytics provider’s advertising network.” If the attorney general was concerned about Sephora’s use of Google Analytics, it is perplexing he did not address Google’s “restricted data processing” feature, which limits the uses of data by Google and other third parties. When Google first offered this feature, it had to be enabled by businesses implementing Google services, but now Google turns on this feature by default. This should protect a business against allegations of a data sale. Reproductive health information. The complaint states, “Sephora’s website allows visitors to browse and purchase products such as prenatal and menopause support vitamins — data points which can be used by third-party companies to infer conclusions about women’s health conditions, like pregnancy.” In the dawn of Dobbs v. Jackson, even companies that didn’t consider themselves as processing particularly sensitive information have been dragged into the political rift. Any practices that could involve reproductive health information merit close scrutiny by general counsel and chief privacy officers. Implications for businesses In light of the Sephora case and the strong statements issued by the attorney general, businesses should implement the following steps:
The Original Article can be found on International Association of Privacy Professionals

Recent Selling Online News Articles

Three Ocean County Residents Charged For Selling Drugs - Jersey Shore Online

TOMS RIVER – A multi-agency investigation has led to three Ocean County residents to be arrested and charged for selling drugs, authorities said. Three homes, two in Lakewood and …

Read more here
Three Ocean County Residents Charged For Selling Drugs - Jersey Shore Online
Lakewood turns to online auction to sell old street signs - cleveland.com

LAKEWOOD, Ohio -- Feeling nostalgic? You can join an online auction to buy old Lakewood street signs. This means that instead of considering any late-night thievery, prideful resi …

Read more here
Lakewood turns to online auction to sell old street signs - cleveland.com
Lakewood using online auction to sell old street signs - cleveland.com

LAKEWOOD, Ohio -- The auction bidding has begun for the first time in Lakewood regarding the sale of old street signs. This means, instead of considering any late-night thievery, …

Read more here
Lakewood using online auction to sell old street signs - cleveland.com
How to Sell a Used HP Laptop Online - Startup.info

HP laptops strike the perfect balance of quality and affordability. But the brand releases new models so often you might be tempted to upgrade. So, what to do with your older, stil …

Read more here
How to Sell a Used HP Laptop Online - Startup.info
Iconic Goodwill gets serious with online for thrifters - KKTV

NEW YORK (AP) — Thrifters who flock to Goodwill stores will now be able to do more of their treasure hunting online. The 120-year-old nonprofit organization on Tuesday launched Go …

Read more here
Iconic Goodwill gets serious with online for thrifters - KKTV
Latest News
Help & How To's
Around the Web