Bloomberg Law
Aug. 26, 2022, 9:15 AM

First California Privacy Penalty Flags Consumer Data Sales Peril

Andrea Vittorio
Andrea Vittorio

California’s $1.2 million penalty against Sephora for breaching the state’s landmark consumer data privacy law signals ramped-up regulatory scrutiny of the sale of personal information.

A settlement announced Aug. 24 is the first public enforcement action that Attorney General Rob Bonta (D) has brought under the California Consumer Privacy Act. The deal may offer a hint of what’s in store for companies that run afoul of the law, as regulators at California’s privacy agency write rules for complying with updates to it.

“This is a case that a lot of companies have been waiting for” to get a sense of California’s enforcement priorities and potential penalties, said Jessica Lee, a privacy-focused partner at Loeb & Loeb LLP.

Sephora was faulted for failing to inform consumers that it sells information about them and failing to honor consumer requests to opt out from the sale of their data—including through a website browser tool known as Global Privacy Control that’s been gaining traction. Its settlement requires clarifying privacy disclosures to consumers and reporting back to the attorney general’s office on the company’s processing of opt-out requests.

Sephora “respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience,” a company spokesperson said in an email, which noted it didn’t admit wrongdoing.

California’s privacy agency is expected to take on a bigger role in enforcement going forward, working alongside the attorney general’s office.

Bonta has been sending companies compliance warnings, giving them a chance to fix privacy issues that were identified. As the latest enforcement action was announced, Bonta sent out more than a dozen additional violation notices to businesses regarding their failure to process consumer opt-out requests, he said during an Aug. 24 press conference.

Businesses should be on notice that Bonta will take action against those that don’t heed his warnings, said Cynthia Larose, chair of the privacy and cybersecurity practice at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.

Global Privacy Control

Bonta alleged that Sephora disregarded consumers who told the company not to sell their personal information, using a mechanism known as Global Privacy Control. Sephora’s website was not configured to detect or process the signal, Bonta said in his complaint.

The control is a way for consumers to indicate their privacy preferences to a number of websites at once, rather than one at a time.

It’s meant to make it easier for consumers to tell businesses not to sell their data. Submitting such opt-out requests can be challenging and companies don’t always fulfill the requests, a study by Consumer Reports found.

“It’s not practical for consumers to exercise their privacy rights one by one,” said Keir Lamont, senior counsel with the nonprofit Future of Privacy Forum’s US legislation team. The idea behind Global Privacy Control is that consumers could “set it and forget it,” by expressing their privacy choices on a default basis wherever they go online, Lamont said.

A handful of internet browsers offer the control, and Bonta has indicated it can be used to comply with California privacy law.

Recognizing Signal

There’s been some “ambiguity” over whether or not California privacy law requires recognition of Global Privacy Control as an opt-out signal, according to Sheri Porath Rockwell, senior managing associate at Sidley Austin LLP.

The California Consumer Privacy Act directs businesses to provide options for consumers to submit opt-out requests. Global Privacy Control was created as one potential opt-out method while the law was being implemented.

Now there’s “little doubt” that the state’s attorney general considers observance of the Global Privacy Control signal to be required, Rockwell said in an email.

One of the challenges for implementing the tool is settling on a standard for how a web browser or mobile device sends the privacy signal so that websites can recognize it. Global Privacy Control is a proposed technical standard for carrying out the concept, through an emerging collection of browsers or browser extensions.

“The signal the attorney general’s office is sending is that companies need to take reasonable steps to implement these technologies as the technologies evolve,” said Mark Brennan, a partner at Hogan Lovells who leads the firm’s technology and telecommunications group.

—With assistance by Malathi Nayak

To contact the reporter on this story: Andrea Vittorio in Washington at

To contact the editors responsible for this story: Keith Perine at; Jay-Anne B. Casuga at

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.