- If your AI-generated code becomes faulty, who faces the most liability exposure?
- These discoutned earbuds deliver audio so high quality, you'll forget they're mid-range
- This Galaxy Watch is one of my top smartwatches for 2024 and it's received a huge discount
- One of my favorite Android smartwatches isn't from Google or OnePlus (and it's on sale)
- The Urgent Need for Data Minimization Standards
Cosmetics Giant Sephora to Pay $1m+ Privacy Settlement
One of the world’s biggest cosmetics retailers has agreed to pay $1.2 million in penalties and take corrective action after falling foul of the California Consumer Privacy Act (CCPA).
Announced by the state’s attorney general, Rob Bonta, this week, the settlement by Sephora is part of the administration’s efforts to enforce a law that came into force over two years ago.
“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” said Bonta in a statement.
“My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
Owned by French luxury goods giant LVMH, Sephora was accused of failing to disclose to consumers that it was selling their personal information and failing to process user requests to opt out of this sale via user-enabled global privacy controls. The firm did not correct these issues within the 30-day period stipulated by the CCPA.
Thanks to online tracking software on Sephora’s website and app, third parties with which the firm struck commercial deals can create consumer profiles including details such as precise location, shopping basket contents and what device customers are using.
As part of the settlement, Sephora has agreed to:
- Clarify its privacy policy to state that it sells data
- Provide a way for consumers to opt out of the sale of personal information
- Tweak its service provider agreements to meet the CCPA’s requirements
- Provide reports to the attorney general relating to its sale of personal information and the status of its service provider relationships
A “number” of other businesses have also been targeted by Bonta and will have 30 days to comply with the CCPA.
The CCPA is narrower in scope and jurisdiction than the GDPR. However, it represents the first attempt by a state to improve privacy protections for consumers, while handing them more rights over how their personal information is used.