International cosmetics retailer Sephora has become the first company to be penalized under the California Consumer Privacy Act (CCPA). The cosmetics has agreed to pay $1.2M to settle allegations. California Attorney General Rob Bonta alleged that Sephora failed to:
- disclose to consumers that it was selling their personal information
- process user requests to opt-out of sale via user-enabled global privacy controls in violation of the CCPA
- and that it did not cure these violations within the 30 days currently allowed by the CCPA
In addition to the $1.2M fine, the retailer must also:
- Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control;
- Conform its service provider agreements to the CCPA’s requirements; and
- Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control.