This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Beauty and the Opt-Out Beast: Sephora Fined $1.2M under CCPA

Daniel Barber, August 25, 2022

To learn more about the California Privacy Law, explore DataGrail’s Official Guide to CCPA.

ICYMI: Sephora was fined $1.2M by the Attorney General for failing to comply with the CCPA.

Per the Attorney General, Sephora failed to:

  1. Notify consumers of how personal data is handled.
  2. Offer any means of opting out.
  3. Honor the opt-out request.

Cautionary Tale as Told By Bonta

“The kid gloves are coming off.” 

With the latest action by the Attorney General against Sephora, privacy rights are being upheld. It’s not just about traditional data brokering: Any personal data collected by online tracking technologies can violate the CCPA’s Do Not Sell compliance requirements if not treated carefully.

The AG is taking a stand and saying it’s no longer okay for companies to freely use people’s data for monetary gain — without the opportunity to opt-out. Consumers need to be aware that their data is being “sold” when website operators use free or discounted analytics and advertising services. They need to be given up front information and a clear choice to stop this kind of data-for-value exchange. 

This is part of a series of sweeps by the AG. We can expect to see more fines to come out over the next few months before CPRA goes into effect in 2023. (Get your business ready: Read Countdown to CPRA to prepare for privacy regulations in 2023 and beyond.)

👉 Further reading: DataGrail’s Official Guide to CCPA

Word to the Wise: Brace for Change

One of the many criticisms of CCPA was that it only enabled an opt-out for the selling of personal data, but not sharing it for certain other uses that deserve a right to opt-out. This created a gap that Big Tech / AdTech took advantage of to continue collecting people’s data. The CPRA closes the loophole and clarifies that organizations must give people the option to opt-out (1) if their data is sold or (2) shared with third parties providing targeted advertising services.

This suggests that companies that have yet to offer DNS—but are required to do so in 2023 because of CPRA—will see a huge jump in the number of requests they receive. In fact, it’s likely the number of requests received will more than double. Organizations who share personal data for advertising purposes should prepare for a massive uptick in DNS requests in 2023.

Trust Issues

DataGrail believes it’s beyond time that people have control over their personal data. The Attorney General’s latest ruling on Sephora proves that enforcers believe that, too. If you don’t have a way to track and honor opt-out requests like Do Not Sell, your company will be held financially responsible. What’s more, consumers are taking note.

Consumer behavior reflects the AG’s desire for greater control of their data: Opt-outs are the most popular requests by far, constituting 63% of all CCPA privacy requests. With CPRA right around the corner — with even more stringent and broader requirements, adding Do Not Share request compliance — it’s critical companies’ privacy programs are ready.

Time for Action

If you don’t have a way to track and honor opt-out requests like Do Not Sell, your company will be held financially responsible and you risk losing consumer confidence in your brand, which translates to loss in revenue.

DataGrail’s Request Manager tracks and enables platform users to respond to these types of data subject requests, and Live Data Map provides an up-to-date view of third-party applications that may process personal data and also be subject to the Attorney General’s fines.

DataGrail has a long track record of helping companies track and honor opt-out requests. Organizations like Overstock, ZoomInfo, WWE, and Crunchbase use DataGrail to give people the opportunity to opt-out of their data being sold.

Stay informed on the latest data privacy news and privacy regulations and insights with our newsletter.