In First, Company Fined for Violating California Consumer Privacy Act

Sephora, the cosmetics giant of the LVMH group, must pay a USD 1.2 million fine for failure to comply with the California Consumer Privacy Act (CCPA), after receiving a warning from the California Attorney General and time to rectify its violations.

The California Attorney General’s Office launched an enforcement sweep of more than 100 companies, examining their compliance with the CCPA. Attorney General Rob Bonta issued a statement that all other companies revised their privacy policies, while Sephora took no action to protect its customers’ privacy nor to comply with the obligations imposed on it in this regard.

According to the statement issued by the California Attorney General’s Office, Sephora disclosed information to third parties about its online customers, including location, purchase history, and information about devices used to perform the purchases. It did so without informing its customers and without enabling them to opt out and refuse to allow Sephora to sell such personal information.

Another division of LVMH is also currently under investigation for privacy policy violations in respect of its collection of biometric information through products’ virtual try-on tools.

The USD 1.2 million fine is the outcome of a settlement between the Attorney General and LVMH.

Bonta’s message to companies is that the time has come for them to start protecting consumers’ information and to respect their right to privacy.

Within the framework of the settlement, Sephora undertook to take the following measures:

• Clarify the company’s privacy policy and clearly report about any interface that involves the disclosure or sale of customers’ information to third parties.
• Activate an opt-out mechanism to enable consumers to refuse to give their consent to the disclosure of their information to third parties.
• Revise its agreements with third parties so that they comply with CCPA requirements.
• Forward reports to the California Attorney General’s Office on a regular basis about the courses of action the company is taking to comply with the statutory requirements.

This settlement agreement also clarifies the obligations applying to companies (including Israeli companies) that interact with customers in California to remain in compliance with the CCPA. These include:

• A company must clearly disclose in its privacy policy any sharing of information with a third party, even if this is done for services. Any such exchange is considered a “sale” and require a clear disclosure under the CCPA.
• The wording and display of all notices relating to privacy and consumers’ rights must be in clear and straightforward language.
• A company must display notices that clarify whether the use of any particular interface may result in the sale of personal information to third parties.
• The privacy policy must state which personal information it collected or disclosed over the last 12 months.
• The exercise of rights cannot be impeded or made contingent upon conditions, except in order to verify the identity of the person wanting to exercise those rights.
• When a customer chooses the opt-out option, a company cannot transfer him to the site of a third party that manages advertising and cookie preferences.
• A company must ensure its interfaces enable consumers to opt out via a user-enabled global privacy control (GPC), and a company may not force customers to opt out of each website separately.

***

Our Regulation and Privacy Department is at your service if you have any questions about the CCPA or other local or global privacy issues.