Sephora scores high marks for selling customers high-end makeup. But it earns much lower marks for allegedly selling customers’ data, in violation of California’s first-in-the-nation consumer protection law.

California Attorney General Rob Bonta has announced a settlement with the cosmetics giant, under which Sephora will pay $1.2 million and comply with certain other terms. These mandates demand that it clarify its online disclosures and privacy policy to include an affirmative representation that it sells data; provide mechanisms for consumers to opt out of the sale of personal information; and submit regular reports to the California Attorney General about its sale of personal information.

This settlement is reportedly the beginning of real enforcement of California’s Consumer Privacy Act, which was signed into law in 2018 and went into effect in 2020. The law provides California consumers more transparency and control over how their personal data are collected and shared.

Bonta told NBC that his office found Sephora’s violations while conducting a “sweep” of online retailers for potential violations. Sephora, which is owned by French luxury goods conglomerate LVMH, stands accused of telling customers their data would not be sold, even while it still was allowing third parties to track those data as customers shopped the Sephora website. These third parties built profiles of customers based on the type of computer they were using, the brands and items they selected for their shopping carts, and their physical location. In addition to the profits earned from selling these detailed data, Sephora benefited by being able to provide more targeted marketing on its own.

In a statement, Sephora took issue with these behaviors being considered a “sale” under the California law. The California Consumer Privacy Act “does not define ‘sale’ in the traditional sense of the term,” Sephora said. “‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.”

According to the complaint filed by California’s Office of the Attorney General, Sephora also illegally failed to process customers’ requests to opt out of the sale of their personal information. But it was not the only one; Bonta noted that his office has sent out notices of violations to more than 100 other companies. They have 30 days to respond.

“The kid gloves are coming off,” Bonta said in a news conference. “There are no more excuses. Follow the law. Do right by consumers.”

Discussion Questions:

  1. Does this settlement sound fair to you?
  2. Do you think other states should enact privacy laws like California’s? How about the U.S. federal government?
  3. What would an ideal consumer privacy law would look like?

Source: Matthew Stern, “Sephora Learns an Expensive Lesson about Customer Data Privacy in California,” Retail Wire, August 31, 2022; David Ingram, “Cosmetics Retailer Sephora to Pay $1.2 Million under Sweeping California Privacy Law,” NBC, August 24, 2022; “Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act.” oag.ca.gov, August 24, 2022; “First California Consumer Privacy Act Enforcement Action and Settlement,” National Law Review, September 8, 2022; “CCPA vs CPRA: What’s the Difference?” Bloomberg Pro, July 13, 2021; John Woolfolk, “California Fines Sephora $1.2 Million for Data Privacy Violation,” siliconvalley.com, August 24, 2022