California Attorney General Announces First CCPA Enforcement Action
On August 24, 2022, California Attorney General Rob Bonta (“AG”) announced a settlement with Sephora, Inc., resolving allegations that the company violated the California Consumer Privacy Act (“CCPA”). The order includes permanent injunctive relief as well as a $1.2 million fine. This action stems from a June 2021 enforcement sweep by the attorney general of large retailers to determine whether they continue to sell personal information when a consumer signals an opt out via the Global Privacy Control (“GPC”), a browser extension used to notify businesses of their privacy preferences, and which acts as a mechanisms that website can use to indicate they support the specification. This action is significant not only because it is the first CCPA enforcement action from the California AG’s office, but also because it hones in on the subject of much debate regarding what constitutes a “sale” of personal information under the CCPA.
According to the AG’s complaint, Sephora installed third-party companies’ tracking software on its website and in its app so that third parties can monitor consumer as they shop. In this case, they would track data such as:
Whether a consumer is using a Macbook or Dell, the brand of eyeliner that a consumer puts in their ‘shopping cart,’ and even the precise location of the consumer. Some of these third party companies curate entire profiles of users who visit Sephora’s website, which the third parties then use for Sephora’s benefit. The third party might provide detailed analytics information about Sephora’s customers and provide that to Sephora, or offer Sephora the opportunity to purchase online ads targeting specific consumers, such as those who left eyeliner in their shopping cart after leaving Sephora’s website. This data about consumer is frequently kept by companies and used for the benefit of other businesses, without the knowledge or consent of the consumer.
At the heart of this enforcement action is whether Sephora engaged in the “sale” of personal information, which is broadly defined in the CCPA as the sharing or exchange of data “for monetary or other valuable consideration.” Other similar state laws define sales more strictly as exchanges for “monetary consideration” only. What constitutes “valuable consideration” in this context has been the subject of much debate since the passage of CCPA, with little guidance until now. According to the AG:
Sephora allowed the third party companies access to its customers’ online activities in exchange for advertising or analytics services. Sephora knew that these third parties would collect personal information when Sephora installed or allowed the installation of the relevant code on its website or in its app. Sephora also knew that it would receive discounted or higher-quality analytics and other services derived from the data about consumer’s online activities, including the option to target advertisements to customers that had merely browsed for products online.
Most importantly, but buried in the middle of the AG Complaint, it says “Sephora also did not have valid service provider contracts in place with each third party, which is one exception to ‘sale’ under the CCPA.” Therefore, the AG complaint states, “[a]ll of these transactions were sales under the law.”
When Sephora failed to cure within 30 days, the AG entered into a tolling agreement effective September 15, 2021, which led to the filing of the complaint in California Superior court, and ultimately the final order approving the final judgment and permanent injunction on August 24.
The complaint and the final judgment charge Sephora with several categories of violations, including failure to provide notice of sale, failure to honor opt out of sales, failure to provide the “Do Not Sell My Information” link to opt out of sales, and others. But the heart of this case is the statement that Sephora was, indeed, “selling” information as defined by the CCPA. All of the claimed violations – failing to disclose sales of information, failure to provide the “do not sell” link, failure to response to GPC signals opting out of the sale of information – they all stem from the premise that Sephora was, in fact, “selling” the information as defined, for valuable consideration. The complaint suggests that targeted advertising could be a benefit constituting “valuable consideration”, and alleges that Sephora “gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits.” But this benefit would be irrelevant if the companies were service providers under the CCPA. Under the CCPA (Cal. Civ. Code 1798.140(v)), a service provider is defined as “a … legal entity … that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.” (emphasis supplied).
Although it is not clear from the documents, Sephora may have assumed that it was not selling the information because they had determined the analytics companies fell under the “service provider” exemption. Had Sephora’s assumption been correct, it would not be required to assume all of the obligations they have now been found to have violated. However, in the AG’s words, Sephora “did not have valid service provider contracts” in place with the third parties, and thus did not fall under the service provider exemption. Thus, they were required to abide by the obligations associated with “sales” of personal information, which they did not.
Lessons Learned & Open Questions
For other companies engaged in targeted advertising and analytics, a superficial reading of this settlement might lead to the conclusion that, simply by engaging third party web analytics providers, they must be “selling” data and thus must comply with the heightened “sales” obligations. However, I believe a more careful reading reveals the true lesson — to make sure you have sufficient contracts in place with your third-party analytics providers that contain the necessary restrictions required by the CCPA (e.g., Cal Civ. Code 1798.140(v); Cal Code Regs. 11.7051) The CPRA adds two nearly identical categories of entities “contractors” and “service providers”, although their definitions are similar. It also includes new contractual requirements for sharing information with a service provider or contractors. By ensuring that sufficient contractual agreements are in place between companies and third-party analytics companies, companies can more assuredly rely on the service provider exemption from the definition of “sales”.
However, this does beg the question as to what deficiencies may have existed in the arrangements between Sephora and its third-party providers to deem them insufficient and thus “sales” under the CCPA, as determined by the AG. The AG Complaint states: “Sephora also did not have valid service provider contracts in place with each third party”. But it is not clear whether the AG means that Sephora did not have contracts in place at all, or whether it did, but such contracts were not “valid”.
It seems doubtful that a large and sophisticated company such as Sephora would have no contract in place at all. Thus, it may be that either: (a) there were formal contracts in place but they lacked the sufficient terms and conditions required by the CCPA and regulations; or perhaps (b) the company simply created user accounts pursuant to “clickwrap” terms and conditions that either similarly lacked such sufficient terms and conditions, or the nature of such clickwrap terms and conditions were deemed insufficient to be valid contracts by the AG (but see, e.g., B.D. v. Blizzard Entertainment, Inc., 76 Cal. App.5th 931 (March 29, 2022)).
In summary, the first CCPA enforcement action issued by the AG is significant in its own right, but also because it emphasizes the importance of the heightened obligations associated with selling personal information to third parties. It is also important because it raises questions about the important and much-debated topic of what constitutes “valuable consideration” and a “sale” under the CCPA. Although we shall see how many additional enforcement actions the AG takes while rulemaking and enforcement authority transitions to the CPPA under the CPRA, additional interpretations by the AG (as well as their consistency or deviations therefrom from the CPPA) will be informative as to how companies may comply with issues regarding sales of personal information.