Cosmetics giant Sephora files a lawsuit over customer data privacy in California

Sephora Inc., one of the world’s largest cosmetics retailers, has settled a lawsuit alleging the company sold customer information without proper notice in violation of California’s landmark consumer privacy law, state Atty. That’s what General Rob Bonta said on Wednesday.

Sephora failed to tell customers it was selling their personal information, failed to allow customers to opt out of that sale and did not fix the problem within 30 days required by law even after being notified of the breach, state officials said.

The company agreed to pay $1.2 million and immediately correct the problem under the settlement, the state’s first such enforcement action under the California Consumer Privacy Act, Bonta said.

“Data is power, and these days everybody wants it,” he said.

“Some of the most intimate details of your life are being harvested,” he said. “The more data a company has about you, the more power they have over you, the more they can target you to buy their goods and services.”

But state law gives consumers a way to block the collection and sale.

The law was passed by state legislatures in 2018 and expanded by voters in 2020. It gives California, home to Silicon Valley, what is seen as the strongest US privacy law, giving consumers the right to know what information companies collect about them on web , to have this data deleted and to opt out of the sale of your personal information.

Bonta’s office has warned more than 100 companies that they were out of compliance and sent more than a dozen new notices on Wednesday. “The vast majority” followed, he said, but not Sephora, which sells cosmetics, perfumes, beauty and skin care products in 2,700 stores in 35 countries.

“Their actions compared to others were extreme,” he said, saying the settlement should serve as a warning to other companies that don’t follow suit.

The company did not admit liability or wrongdoing under the settlement. The company was founded in France and has its US headquarters in San Francisco.

In the settlement, Sephora agreed to clarify its website disclosures and privacy policy to tell customers it is selling their data and allow them to opt out of that sale. It will submit reports to Bonta’s office on the sale of personal information and compliance with the law.

Sephora said in a statement that the company “respects consumers’ privacy and strives to be transparent about how their personal information is used to enhance their Sephora experience.”

The company said the tracking enables it to “provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads”, but that customers can now easily “opt out of this personalized shopping experience”.

Sephora allowed third-party companies to install tracking software that enabled them to build detailed consumer profiles that helped them better target customers, Bonta said. But on its website, it promised “we do not sell personal information,” according to the lawsuit.

The 30-day grace period for companies that break the law expires next year, when companies will be required to comply with the regulations without notice.

Also next year, Bonta’s office will begin sharing enforcement responsibilities with a new California Privacy Protection Agency. The agency is taking public comment this week on proposed privacy regulations under the 2020 expansion.

“There’s certainly overlap,” Bonta said, but “more watchdogs on the block standing up for consumers, standing up for their privacy, making sure that data decisions are in their hands and that their data isn’t sold or misused against their wishes is a good thing and we are excited about it.”

Bonta and other California officials also want to make sure the state’s strict law is not undermined as the federal government considers what are likely to be less stringent nationwide standards.

The executive director of the state’s new privacy agency sent a letter this month to House Speaker Nancy Pelosi and Minority Leader Kevin McCarthy, both of California, warning that a version being considered in the House of Representatives would replace California’s protections with weaker protections. Gov. Gavin Newsom and state Assembly speakers are among others who have protested.

Bonta said California’s law would not be affected as long as Congress makes its standards “a floor, not a ceiling. That they don’t anticipate the incredible privacy protections, the nation-leading privacy protections that we have here in California.”

The Federal Trade Commission said this month that it will also consider new rules.

Leave a Reply

Your email address will not be published.