How the Sephora Privacy Breach Affects Cookie Compliance

It seems like such a simple case. On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora, Inc., a French cosmetics company. The organization paid $1.2 million for violating the CCPA (California Consumer Privacy Act).

But in reality, the case was anything but simple.

In the settlement announcement, the Attorney General accused Sephora of failing to both disclose to consumers that it was selling their personal information and process user requests to opt out of the sale.

The case has been noticed primarily because it is the first enforcement action issued under the CCPA against a publicly disclosed entity.

While cases of first impression always get the bar’s attention, the interesting aspect of the case is not that Sephora violated the CCPA, but how it did so.

Buying or selling?

When you think of a data privacy violation, an organization like Facebook might come to mind. Facebook does not sell information. It gathers massive amounts of information about a consumer so that it can help advertisers better target them.

Advertisers happily pay Facebook for the information without ever knowing the consumer’s name.

In a similar way, Sephora acquires information because it interacts directly with consumers. It then shares customers’ data with an analytics provider like Google or Facebook. The analytics provider then shares its information with Sephora to help Sephora target other potential customers.

The Attorney General’s question is whether this exchange is a sale. Did Sephora ‘sell’ information in its possession in exchange for access to the analytics provider’s network, or did Sephora ‘buy’ access to the analytics provider’s network with information it collected?

Either option would be fine as long as the nature of the exchange was made clear to customers. This is what it comes down to: transparency.

The problem was not that Sephora collected and shared information using cookies. Its mistake was not to state on its website that it was using cookies to do so. By not being transparent, the organization failed to give the users a chance to opt out of the sale.

Global privacy controls

The Attorney General stressed that the preferred method to allow consumers to ‘opt out’ was GPCs (global privacy controls). These are browser settings that notify any website the user visits of the user’s privacy preferences, such as not to share or sell personal data without their consent.

The user’s browser is configured to automatically send a Do Not Track signal to each website they visit.

GPCs are nothing new. They started life as the Do Not Track standard ten years ago; however, this was not honored because it was not legally mandated, and was also not the default setting.

In California, this is no longer the case. Websites must have the required ‘opt out’ notice. Sephora was, according to the Attorney General, selling information and not giving consumers either the notice it was doing so or the right to opt out.

GPCs are also catching on. Browsers such as Firefox, Brave, and DuckDuckGo allow users to turn it on, although Google has delayed the rollout until 2024.

The Google Privacy Sandbox is an initiative led by Google to create web standards for websites to access user information without compromising privacy. Its core purpose is to facilitate online advertising without the use of third-party cookies.

The California Attorney General’s settlement statement referred to GPCs ten times. This is a clear warning to any organization that collects personal information through its website.

The Sephora case sends a strong statement about the need for businesses to get their privacy policies right. Cookies, websites, privacy notices, and contracts with service providers should all be reviewed and managed

If you follow the rules, you can advertise. If you don’t, you run the risk of enforcement action and lawsuits.