Sephora Fined Over Alleged Privacy Violations, Global Opt-Out Failure

Cosmetics retailer Sephora has agreed to pay $1.2 million to settle allegations that it ran afoul of California's broad privacy law, state Attorney General Rob Bonta said Wednesday.

Sephora allegedly violated the law by failing to tell web site visitors it was “selling” their personal information, and failing to honor opt-out requests that consumers sent through global privacy controls, according to Bonta.

The settlement must still be approved by a judge.

“Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop,” Bonta's office said in a complaint filed Tuesday in San Francisco Superior Court.

“When a company like Sephora utilizes third-party tracking technology without alerting consumers and giving them the opportunity to control their data, they deprive consumers of the ability to limit the proliferation of their data on the web,” the complaint states.

California's privacy law, which took effect in 2020, gives consumers the right to learn what personal information has been collected about them by companies, have that information deleted, and prevent the sale or transfer of that data to third parties. The law's definition of "personal information" is broad enough to cover the type of pseudonymous data that companies rely on for ad targeting, and the law's definition of  “sale” includes some of the data disclosures and exchanges that occur in the online ad eco-system. 

Regulations issued by former Attorney General Xavier Becerra require companies to honor global do-not-sell requests, as opposed to requiring individual site-by-site opt-outs. Earlier this year, Bonta specifically directed companies to honor requests sent through the “Global Privacy Control" -- a tool developed by privacy advocates that enables web users to opt out of the sale of their information on a universal basis.

Sephora's website “was not configured to detect or process any global privacy control signals, such as the “Global Privacy Control,” according to the complaint.

“As a result, Sephora wholly disregarded consumers who communicated to the company, via a global opt-out signal, that Sephora should not sell their personal information,” the complaint continues.

Bonta's office began investigating Sephora in June of 2021, as part of an "enforcement sweep" of large retailers, according to the complaint.

Sephora allegedly failed to cure the alleged violations within 30 days of being notified about them.

In addition to the fine, Sephora also agreed to provide a mechanism to allow consumers to opt out of the sale of personal information, including through the Global Privacy Control tool, and to provide compliance reports to the Attorney General.

The company stated Wednesday that it “respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience.”

Sephora added that the agreement doesn't include an admission of liability or fault by the company.

Sephora also says it's currently in compliance with the California privacy law, and that it has allowed consumers to opt out of the sale of their personal information, including through the Global Privacy Control, since last November. 

Next story loading loading..