Sephora Inc., one of the world’s largest cosmetics retailers, has settled a lawsuit claiming that the company sold customer information without proper notice in violation of the California’s landmark consumer privacy law, state Attorney General Rob Bonta said Wednesday.
Sephora failed to tell customers that it was selling their personal information, failed to allow customers to opt out of that sale, and didn’t fix the problem within 30 days as required by the law, even after it was notified of the violation, state officials said.
The company agreed to pay $1.2 million and immediately correct the problem under the settlement, the state’s first such enforcement action under the California Consumer Privacy Act, according to Bonta.
Sephora said it is already complying with the state law after cooperating with Bonta’s office.
“Data is power, and these days everyone wants it,” Bonta said.
“Some of the most intimate details about your life are being harvested,” he said. “The more data a company has on you, the more power they have over you, the more they can target you to buy their goods and services.”
But the state law gives consumers a way to block that collection and sale.
The act was passed by state lawmakers in 2018 and expanded by voters in 2020. It gives California, home to Silicon Valley, what is viewed as the strongest U.S. data privacy law, providing consumers with the right to know what information companies collect about them online, to get that data deleted and to opt out of the sale of their personal information.
Bonta’s office has warned more than 100 companies that they were out of compliance and sent more than a dozen new notices on Wednesday. The “vast majority” complied, he said, but not Sephora, which sells cosmetics, perfumes, beauty and skincare products in 2,700 stores in 35 countries.
“Their actions compared to others was egregious,” he said, saying the settlement should be a warning to other companies that don’t comply.
The company did not admit any liability or wrongdoing under terms of the settlement. The company was founded in France and has its U.S. headquarters in San Francisco.
Sephora said in a statement that the company “respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience.” It said it allowed customers to opt out of the sale of personal information starting in November 2021.
The company said its tracking allows it “to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads” but that customers can now “opt-out of this personalized shopping experience” easily.
Sephora allowed third-party companies to install tracking software that allowed them to build detailed consumer profiles that allowed them to better target customers, Bonta said. But on its website it promised “we do not sell personal information,” according to the lawsuit.
The 30-day grace period for companies violating the law will end next year, when companies will be required to be in compliance without warning.
Also next year, Bonta’s office will begin sharing enforcement responsibility with a new California Privacy Protection Agency. The agency is taking public comment this week on proposed privacy regulations under the 2020 expansion.
“Certainly there is overlap,” Bonta said, but “multiple watchdogs on the block standing up for consumers, standing up for their privacy, making sure that data decisions are in their hands and that their data isn’t being sold or misused against their wishes is a good thing and we’re excited about that.”
Bonta and other California officials also want to make sure the state’s strict law isn’t undermined as the federal government considers what are likely to be less stringent nationwide standards.
The executive director of the state’s new privacy agency sent a letter this month to House Speaker Nancy Pelosi and Minority Leader Kevin McCarthy, both from California, warning that a version being considered in the House would replace California’s protections with weaker protections. Gov. Gavin Newsom and the state Assembly speaker are among others who have objected.
Bonta said California’s law wouldn’t be affected so long as Congress makes its standards “a floor, not a ceiling. That they do not preempt the incredible privacy protections, nation-leading privacy protections that we have here in California.”
The Federal Trade Commission said this month that it will also consider new rules.
Related: Class Action Lawsuit Filed Against Oracle Over Data Collection Practices
Related: Meta Agrees $90 Million Settlement in Facebook Privacy Suit