Beauty retailer pays $1.2 million to settle California privacy charges

Beauty retailer Sephora Inc. will pay $1.2 million to settle allegations of violating the California Consumer Privacy Act, the California attorney general’s office said Wednesday.

California AG Rob Bonta said in a statement that Sephora, whose U.S. headquarters are in San Francisco, failed to disclose to consumers that it was selling their personal information and to process user requests to opt out of the sale of that information. It also did not address those violations within the 30-day period allowed by the CCPA, the statement said.

Among the terms of the settlement, Sephora must clarify its online disclosure and privacy policy; provide mechanisms for consumers to opt out of the sale of their personal information; certify that its service provider arrangements meet CCPA requirements and provide reports to the Attorney General on its efforts to comply with global privacy controls.

Bonta said in a statement that many online retailers allow third-party companies to install tracking software on their websites that, in Sophora̵

7;s case, allows them to create profiles of customers by tracking the computer they use, the items they put in their online shopping carts or their exact location.

This allows retailers like Sephora to more effectively target potential customers, he said.

Sephora issued a statement saying it respects consumer privacy in part and that the settlement does not constitute an admission of liability or wrongdoing on the part of the company.

It also said the CCPA’s definition of data includes “common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and advertisements.

“Consumers have the option to opt out of this personalized shopping experience by clicking the ‘CA – Do Not Sell My Personal Information’ link in the footer of the Sephora.com website or by using a browser that transmits Global Privacy Control,” it said.

The CCPA, which was signed into law by then-Gov. Jerry Brown in June 2018 entered into force on 1 January 2020 and is similar in some respects to the EU’s General Data Protection Regulation.