SACRAMENTO, Calif. (AP) — Sephora Inc., one of the world’s largest cosmetics retailers, has settled a lawsuit claiming the company sold customer information without proper notice, in violation of the California consumer privacy law, state attorney general Rob Bonta said. Wednesday.
Sephora failed to notify customers that it was selling their personal information, allow customers to opt out of the sale, and fail to resolve the issue within 30 days as required by law, even after having been notified of the breach, officials said.
The company agreed to pay $1.2 million and immediately correct the problem as part of the settlement, the state’s first such enforcement action under the California Consumer Privacy Act, according to Bonta.
Sephora said it was already complying with state law after cooperating with Bonta’s office.
“Data is power, and everyone wants it these days,” Bonta said.
“Some of the most intimate details of your life are being harvested,” he said. “The more data a company has about you, the more power it has over you, the more it can target you to buy its goods and services.”
But state law gives consumers a way to block that collection and sale.
The law was passed by state lawmakers in 2018 and expanded by voters in 2020. It gives California, home of Silicon Valley, what is considered the strongest US data privacy law, offering consumers the right to know what information companies collect about them online. , to have this data deleted and to refuse the sale of their personal information.
READ MORE: Why Your Cosmetics Don’t Need Safety Testing
Bonta’s office warned more than 100 companies that they were non-compliant and issued more than a dozen new notices on Wednesday. The “vast majority” complied, he said, but not Sephora, which sells cosmetics, fragrances, beauty and skincare products in 2,700 stores in 35 countries.
“Their actions relative to others were egregious,” he said, saying the settlement should be a wake-up call to other companies that aren’t complying.
The company has not admitted any liability or wrongdoing under the terms of the settlement. The company was founded in France and has its US headquarters in San Francisco.
Sephora said in a statement that the company “respects consumers’ privacy and strives to be transparent about how their personal information is used to enhance their Sephora experience.” It said it allows customers to opt out of the sale of personal information starting in November 2021.
The company said its tracking allows it to “provide consumers with more relevant Sephora product recommendations, personalized shopping experiences, and ads,” but customers can now “opt out of this personalized shopping experience” easily.
Sephora allowed third-party companies to install tracking software that allowed them to create detailed consumer profiles that allowed them to better target customers, Bonta said. But on its website, it promised “we do not sell personal information,” according to the lawsuit.
The 30-day grace period for companies that break the law will end next year, when companies will be required to comply without warning.
Also next year, Bonta’s office will begin sharing enforcement responsibility with a new California privacy agency. The agency is gathering public comment this week on proposed privacy regulations as part of the 2020 expansion.
“There’s definitely an overlap,” Bonta said, but “multiple watchdogs on the block stand up for consumers, stand up for their privacy, make sure that data decisions are in their hands and that their data doesn’t are not sold or misused against their wishes is a good thing and we are happy about that.
Bonta and other California officials also want to make sure the state’s tough law isn’t undermined as the federal government considers what are likely to be lower national standards.
The executive director of the state’s new privacy agency has sent a letter this month to House Speaker Nancy Pelosi and Minority Leader Kevin McCarthy, both of California, warning that a version being considered in the House would replace California’s protections with weaker protections. Governor Gavin Newsom and the state Assembly Speaker are among others who opposed it.
Bonta said California law would not be affected as long as Congress made its standards “a floor, not a ceiling.” Let them not prejudge the incredible privacy protections, state-of-the-art privacy protections that we have here in California.
The Federal Trade Commission said this month that it would also consider new rules.