You may have heard about the recent news out of California Attorney General Rob Bonta’s office, stating that the State of California reached a settlement with Sephora for $1.2 million, the first of its kind under the CCPA and CPRA. But what does this mean for your organization?
Understanding CCPA and CPRA
First, you need to understand the laws involved in the recent Sephora judgement. The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the information that businesses collect about them. This law secures privacy rights for California consumers, notably:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them;
- The right to opt-out of the sale of their personal information
In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA). While this is not an exhaustive list of additions and revisions, the CPRA provides additional consumer privacy rights over sensitive information, expands penalties established through the CCPA, creates a new agency in California to oversee and enforce consumer data privacy laws, and eliminates the 30-day period to cure CCPA violations to avoid penalties.
A Shot Across the Bow
The Sephora case marks a major milestone in the enforcement of CCPA and CPRA.
“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” Bonta said in a statement. “My office is watching, and we will hold you accountable.”
While Sephora did have an opportunity to comply within 30 days (a courtesy that will no longer be granted as of January 2023, a change to CCPA that California voters approved as a part of CPRA), certain truths have become evident, summarized from a much more in depth analysis by Cory Underwood:
- Third party marketing or analytics pixels are considered by the State of California to be a “sale” under the terms of the CCPA
- Given this definition, brands and organizations must state that they sell data and provide a way for consumers to opt out
- The State of California expects organizations to honor opt-out requests, including those implied by consumers using Global Privacy Control (GPC)
How To Avoid CCPA Enforcers
The best way to keep the California Attorney General’s office from knocking on your virtual door doling out penalties is to establish and ensure constant compliance. If this situation with Sephora can teach brands anything, it’s this: you must complete regular, robust privacy audits and automate as much as possible.
Our world moves at the speed of digital, and these assessments move at analog speed — this gives you some advantages as enforcement ramps up, especially before the new year.
Sentinel Insights can help
Our technology, which monitors 100% of visitors in real time, can automate:
- Validation that your digital privacy requirements are in place across your websites
- Validation that the consent preferences a visitor specifies are reflected in the actual data you are capturing
- Discovery of and alerting to potential PII being sent to third parties
- Validation that the “Do Not Sell” GPC browser signal properly interfaces with your tracking requirements (or lack thereof!)
Sentinel Insights can also validate that your privacy policy links and Consent Management Platform (CMP) exist on every page of your website, and alert you immediately if they disappear for any reason (and yes, we’ve seen that happen!)
Reach out to schedule a demo or to learn more: https://www.sentinelinsights.com
Resources: