Login | April 25, 2024
Multinational is first company fined under CCPA
RICHARD WEINER
Technology for Lawyers
Published: October 7, 2022
French consumer beauty products company Sephora is the first company to be fined under the 2018 California Consumer Privacy Act (CCPA). The company agreed to a $1.2 million fine and a number of remedial actions with the state.
Passed four years ago with great fanfare and press coverage, the CCPA kind of lurked in the background of the internet for a long time. Probably most people now would be surprised that it was a French company, and not a California company, that was the first one to get dinged by the law. But many of us warned that the CCPA, like the EU’s GDPR, was going to have an international and interstate effect because any consumer goods company that operates online (which is all of them, at this point) does at least some business in California. And that is all that it takes for the long arm effects of CCPA to get to a company like Sephora.
If you aren’t familiar with the company, Sephora is a Paris company founded in 1970 and currently owned by luxury conglomerate LVMH. It currently owns/sells nearly 340 different brands, and besides online sales and its own storefronts, sells products in stores like Kohl’s and JC Penney. It also sells/ sold customer data without permission, which is another thing.
After investigating, the California AG office said that Sephora failed to tell customers that it was selling their personal data, that it, oh, you know, kind of neglected to process customer privacy choices when a customer would press the appropriate button on their website, and then didn’t, you know, pay any attention to the AG when that office told them to resolve those violations within the 30-day statutory window.
Of course, it probably would cost a company like Sephora more to process the privacy choices of customers than pay a million-dollar fine, but at least it generated a headline. And a heads-up to other potential CCPA scofflaws.
In addition to the fine, Sephora’s remedial actions will include clarifying its online privacy policy to indicate that it sells personal information, to provide ways for customers to opt out of that, and provide reports to the AG’s office.
California AG Rob Bonta also announced that his office is noticing a number of other companies that they are in violation and to get their thing together.
Told ya this was coming. So watch out!