Cosmetics maker Sephora settles customer data privacy lawsuit in California

Sephora Inc., one of the world’s largest cosmetics retailers, has settled a lawsuit claiming the company sold customer information without notice in violation of California’s consumer privacy law, a said state attorney general Rob Bonta.

Sephora failed to notify customers that it was selling their personal information, allow customers to opt out of the sale, and fail to resolve the issue within 30 days as required by law, even after being notified of the violation, state officials said.

The company agreed to pay $1.2 million and immediately correct the issue as part of the settlement, the state’s first such enforcement action under the California Consumer Privacy Act, according to Bonta.

“Data is power and nowadays everyone wants it,” Bonta said.

“Some of the most intimate details of your life are being harvested,” he said. “The more data a company has about you, the more power it has over you, the more it can target you to buy its goods and services.”

But state law gives consumers a way to block that collection and sale.

The law was passed by state lawmakers in 2018 and expanded by voters in 2020. It gives California, home of Silicon Valley, what is considered the strongest US data privacy law, offering consumers the right to know what information companies collect about them online. , to have this data deleted and to refuse the sale of their personal information.

Bonta’s office warned more than 100 companies that they were non-compliant and issued more than a dozen new notices on Wednesday. The “vast majority” complied, he said, but not Sephora, which sells cosmetics, fragrances, beauty and skincare products in 2,700 stores in 35 countries.

“Their actions relative to others were egregious,” he said, saying the settlement should be a wake-up call to other companies that aren’t complying.

The company has not admitted any liability or wrongdoing under the terms of the settlement. The company was founded in France and has its US headquarters in San Francisco.

In its settlement, Sephora agreed to clarify its website disclosures and privacy policy to tell customers it is selling their data and allow them to opt out of that sale. He will file reports with Bonta’s office on his sale of personal information and compliance with the law.

Sephora said in a statement that the company “respects consumers’ privacy and strives to be transparent about how their personal information is used to enhance their Sephora experience.”

The company said its tracking allows it to “provide consumers with more relevant Sephora product recommendations, personalized shopping experiences, and ads,” but customers can now “opt out of this personalized shopping experience” easily.

Sephora allowed third-party companies to install tracking software that allowed them to create detailed consumer profiles that allowed them to better target customers, Bonta said. But on its website, it promised “we do not sell personal information,” according to the lawsuit.

The 30-day grace period for companies that break the law will end next year, when companies will be required to comply without warning.

Also next year, Bonta’s office will begin sharing enforcement responsibility with a new California privacy agency. The agency is gathering public comment this week on proposed privacy regulations as part of the 2020 expansion.

“There’s definitely an overlap,” Bonta said, but “multiple watchdogs on the block stand up for consumers, stand up for their privacy, make sure data decisions are in their hands and their data doesn’t are not sold or misused against their wishes is a good thing and we are happy about that.

Bonta and other California officials also want to make sure the state’s tough law isn’t undermined as the federal government considers what are likely to be lower national standards.

The executive director of the state’s new privacy agency sent a letter this month to House Speaker Nancy Pelosi and Minority Leader Kevin McCarthy, both of California, warning that a version being considered in the House would replace California’s protections with weaker protections. Governor Gavin Newsom and the Speaker of the State Assembly are among others who have objected.

Bonta said California law would not be affected as long as Congress made its standards “a floor, not a ceiling.” Let them not prejudge the incredible privacy protections, state-of-the-art privacy protections that we have here in California.

The Federal Trade Commission said this month that it would also consider new rules.

Copyright 2022 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

California lawsuits

Interested in Data Privacy?

Receive automatic alerts for this topic.

Virginia C. Taylor