Apply Foundation To Your Privacy Policy Before You Become The Next Sephora

 |  Share

On August 24, 2022, the California Attorney General released a statement regarding a settlement agreement that the State of California reached with Sephora, Inc. (“Sephora”), the international consumer product retailer specializing in personal care and beauty products, for failing to comply with the California Consumer Privacy Act (“CCPA”). The California Attorney General’s Office alleged that Sephora did not notify consumers that the company was selling personal information and did not honor consumer requests to opt-out of those sales.[1]

It is worth noting that a “sale” under the CCPA is broadly defined – a CCPA “sale” covers obvious like an exchange of data containing personal information for monetary sums, but also includes arrangements where the data provider receives benefit from allowing a third-party access to data containing personal information. Even receiving a benefit that has unclear monetary value can trigger requirements under the CCPA. As was alleged against Sephora, the California Attorney General determined that a “sale” occurred when Sephora gained “a benefit from a third-party vendor who built customer profiles by analyzing the personal information and behavior of online shoppers.

As part of the settlement, Sephora will pay $1.2 million in penalties and agreed to revise their user agreements to comply with CCPA requirements, including implementation of opt-out mechanisms. Sephora will also provide updates to the California Attorney General’s Office on progress toward corrective measures, implying ongoing oversight by the state office. The action against Sephora serves to illustrate how data privacy laws should be considered when executing on business strategy.

Despite being the first of its kind, California’s action against Sephora may not be the last. The California Attorney General’s Office disclosed that notices of non-compliance were issued to businesses across a wide range of industries, including tech, healthcare, retail, fitness, data brokerage and telecom.

Further highlighting the importance of compliance with data privacy laws is the number of new legislations coming into effect in 2023. The CCPA is soon to be supplemented by the California Privacy Rights Act (“CPRA”) which expands data privacy rights of California residents. New state laws in Colorado, Connecticut, Utah, and Virginia also become effective in 2023, affording residents of respective states various data privacy rights and protection. Here is a short list of the upcoming data privacy laws and their effective dates.

State Laws Effective Date
California California Consumer Privacy Rights Act Jan. 1, 2023
Virginia Consumer Data Protection Act Jan. 1, 2023
Colorado Colorado Privacy Act July 1, 2023
Connecticut Personal Data Privacy and Online Monitoring July 1, 2023
Utah Utah Consumer Privacy Act Dec. 31, 2023

As the close of 2022 approaches, companies should proactively plan to update their user agreements, including privacy policies, that acknowledge and define the user rights that will be effective soon. Overlooking how your business uses, shares, or discloses the personal information of consumers can leave you vulnerable to risk, including regulatory action and costly penalties. Companies should also analyze whether their mechanisms for exercising rights, if any, are appropriate and sufficient to accommodate expanded user rights.


This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this alert, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.

Unless expressly provided, this alert does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.