Newsletter September 2022

California AG Issues First Fine for CCPA Violations

September 2022

Privacy In Focus®

The California Attorney General (AG) made headlines in August by issuing a $1.2 million fine against online retailer Sephora to resolve allegations that the business violated the California Consumer Privacy Act (CCPA). This action represented a major shift in AG enforcement efforts, which had previously focused on issuing warning letters under the notice and cure provisions of the CCPA. In announcing the enforcement action, the California AG stated: “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”

The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling consumer data, not including a “do not sell my personal information” opt-out button on its website, and not honoring Global Privacy Control (GPC) signals. Sephora was provided a 30-day cure period but allegedly did not bring its practices into compliance during that time.

This enforcement action is notable for several reasons. First, it arose from the AG’s compliance sweep of online retailers, illustrating one of the multiple channels the AG has available to pursue investigations. Of note, AG investigations to date have frequently been triggered by consumer complaints. Additionally, this enforcement action is a clear sign that businesses must carefully evaluate whether their data sharing practices are a “sale” under the CCPA. The CCPA’s definition of sale is broad and captures significantly more activities than a straightforward transaction. Finally, the AG clearly signaled in this action that businesses must honor Global Privacy Control signals. In addressing this element of the settlement, the AG stated: “[t]echnologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses … ignore requests to opt-out of its sale.” Failure to do so will be treated as a CCPA violation.

In the countdown to implementation of the California Consumer Rights Act (CPRA) on January 1, 2023, the California AG’s office has not become complacent in its enforcement of the CCPA. Under the CPRA, the AG retains enforcement authority along with the newly created California Privacy Protection Agency (CPPA). Businesses should pay careful attention to these enforcement efforts and evaluate their data collection and use practices to ensure they comply.

© 2022 Wiley Rein LLP

Read Time: 2 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek