California Attorney General Rob Bonta announced that his office has recently settled a case with makeup retailer Sephora over a number of violations of the California Consumer Privacy Act (CCPA). The settlement requires Sephora to pay $1.2 million in penalties, as well as enact numerous measures to bring the business’s online operations into compliance with the CCPA.

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” said Bonta. “It’s been more than two years since the CCPA went into effect….There are no more excuses.”

According to the Attorney General, the majority of violations were related to the sale of consumers’ personal information. Through a variety of tracking technologies, Sephora was sharing data about its website visitors with third parties in exchange for advertising and analytics services, an arrangement that is considered a “sale” under the CCPA. The company did not disclose this fact in its privacy policy, did not post a “Do not sell my personal information” link on its site, and offered consumers no way to opt out.

The Attorney General also heavily emphasized the role of Global Privacy Control (GPC) in CCPA compliance. GPC is a user-enabled signal sent by web browsers to function as an automatic opt-out request to the site being visited. Under CCPA regulations, online businesses are required to respect the GPC signal and treat it as they would any other consumer opt-out. As part of the settlement agreement, Sephora must implement a mechanism to honor opt-outs via the GPC signal.

Before seeking any penalties or injunctions, the Attorney General’s Office first sent a California Privacy Protection Agency may skip the 30-day cure period and proceed directly to an administrative hearing and penalty assessment.

Any businesses left in doubt should consider Mr. Bonta’s words of warning: “My office is watching, and we will hold you accountable.”

‍