California AG Rob Bonta said in a statement that Sephora, whose U.S. headquarters is in San Francisco, failed to disclose to consumers it was selling their personal information and to process user requests to opt out of this information’s sale. It also did not address these violations within the 30-day period allowed by the CCPA, the statement said.
Mr. Bonta said in a statement that many online retailers allow third-party companies to install tracking software on their websites which, in Sophora’s case, permits them to create customers’ profiles by tracking the computer they use, the items they put in their online shopping carts or their precise location.
This permits retailers such as Sephora to more effectively target potential customers, he said.
Sephora issued a statement that said in part it respects consumers’ privacy, and the settlement does not constitute an admission of liability or fault by the company.
It said also the CCPA’s definition of data includes “common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.
“Consumers have the opportunity to opt-out of this personalized shopping experience by clicking the ‘CA – Do Not Sell My Personal Information’ link on the footer of the Sephora.com website or by using a browser that broadcasts the Global Privacy Control,” it said.
The CCPA, which was signed into law by then-Gov. Jerry Brown in June, 2018 became effective Jan. 1, 2020, and is similar in some respects to the European Union’s General Data Protection Regulation.