Data & Tech

Why Sephora’s $1.2 million settlement with California should be a wake-up call for companies

Some companies using tracking tools like pixels and cookies have been selling customers’ personal information, said California AG.
article cover

Illustration: Francis Scialabba, Photo: Ebby May/Getty Images

4 min read

No amount of caked-on foundation and expensive eyeliner could hide Sephora from California’s attorney general. Last week, the company agreed to pay a $1.2 million fine for allegedly violating the California Consumer Privacy Act (CCPA). It’s the first enforcement and fine resulting from the law, and it has implications that could be important for...the internet.

California accused Sephora of making that customer data available to third parties—which it did by sharing that data with commonly used web-analytics companies that run on its website—and failing to disclose the sale of personal info or provide an opt-out link on some browsers.

Wait, what? According to the settlement, under the CCPA, a sale is “the exchange of personal information for anything of value,” including third-party cookies and pixels, tech that companies can use to target and retarget ads to browsing customers.

That means that businesses who share personal data but don’t want to be classified as selling that data need specific contracts with service providers agreeing to use that data very narrowly and only for the company they collected it for, Travis P. Brennan, shareholder and chair of Stradling Yocca Carlson and Rauth PC’s privacy and data security practice, said. Otherwise, companies have to make it clear to their customers that they’re selling their data, he said.

The CCPA requires the companies that sell that data to give consumers the right to opt out. Which is where the CCPA could get…tricky, Brennan said. California clearly considers companies using analytics and advertising services provided by Facebook or Google, for example, to be selling that data under the CCPA, Brennan said.

“At least from the perspective of the Attorney General’s office…if you are using the Facebook pixel, you are selling the personal data of your website visitors to Facebook, unless you have made sure that Facebook is your service provider [under the CCPA].” Brennan said.

  • Facebook and Google have responded to the CCPA by offering “limited” or “restricted” data and tools, dumbed down tailored to be privacy-compliant. The complaint didn’t say who Sephora’s analytics partner was.
  • As part of its settlement, Sephora will also have to inform California customers that it’s selling their data and let them opt out.

In Sephora’s case, it was partnering with companies that could see what kind of device a customer was using (“a MacBook or a Dell”), what they had in their shopping cart, and their precise location, the attorney general said.

At the same time, Sephora’s website claimed that “we do not sell personal information.”

  • The company also failed to respect the preferences of customers who did want to opt out of having their personal information sold. In fact, according to the AG, their site wasn’t configured to even listen when customers indicated via a global opt-out signal that they didn’t want their data sold.
Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.

The complaint also mentions that Sephora was sharing data that third parties could use to infer a customer’s health status, like whether they’re pregnant. That’s notable as the overturning of Roe v. Wade has pushed personal data collection top of mind for many.

So, to be clear, anyone using a Facebook or Google pixel is selling customer data under this law?

The answer, according to some privacy lawyers, appears to be yes.

And that’s problematic because vendors—who may be monetizing a company’s data outside of the services they provide to that company—don’t tend to shout from the rooftops about that data dynamic, Aaron Grote, VP of digital products at Stirista, a data services and marketing firm, wrote to us.

“Many clients making decisions about these vendors don’t fully understand the consequences,” Grote said.

The settlement also dragged standard agreement terms used by major tech companies into the spotlight, Brennan added.

“There’s still an open question as to whether the AG’s office views Google’s standard data processing terms as sufficient to meet the CCPA requirements,” he said.

Doubling down: The Sephora investigation was part of an enforcement sweep of online retailers that began last June. California AG Rob Bonta tweeted that his office was “serving notices of CCPA violation to a number of other large online retailers,” and while Sephora is the first company to have been fined, it’s unlikely to be the last.

“This is the California government saying, ‘We’re taking this seriously,’” Grote said. “If you’re sharing customer data with a vendor who has not signed a service provider agreement, you’re considered to be selling data and are assuming all of the CCPA obligations and risks that come with that.”

Correction 08/30/2022: This story has been updated since it was first published to change "service providers" to "vendors."

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.