Sephora, owned by French luxury goods giant LVMH has agreed to pay $1.2 million in penalties and take corrective action after falling foul of the California Consumer Privacy Act.
The settlement by Sephora is part of the administration’s efforts to enforce a law that came into force over two years ago.
Sephora was accused of failing to disclose to consumers that it was selling their personal information and failing to process user requests to opt out of this sale via user-enabled global privacy controls. Within the stipulated time of 30 days these issues are not been sorted out.
With the online tracking software available on Sephora’s website and app, third parties with which the firm struck commercial deals can create consumer profiles including details such as precise location, shopping basket contents, and type of devices the user is using.
Sephora has agreed to the below as part of the settlement:
- Provide a way for consumers to opt-out of the sale of personal information
- Tweak its service provider agreements to meet the CCPA’s requirements
- Provide reports to the attorney general relating to its sale of personal information and the status of its service provider relationships
Other businesses have also been targeted and the same will have 30 days to comply with the CCPA.
The CCPA is much straight forward in scope and jurisdiction than the GDPR. It represents the first attempt by a state to improve privacy protections for consumers, while handing them more rights over how their personal information is used.