Sephora learns an expensive lesson about customer data privacy in California
Photo: Getty Images/anouchka

Sephora learns an expensive lesson about customer data privacy in California

Sephora ran afoul of California’s new data privacy laws, and the beauty retailer is paying the price for it.

Sephora will pay a settlement of $1.2 million to the state after selling customer data without informing its customers, according to NBC News.

The beauty retailer also agreed to adhere to an injunction whereby the company will let consumers opt out of the sale of personal information, will clarify its online disclosure/privacy policy, will conform its service provider agreements to the law’s strictures and will provide reports to the Attorney General on its sale of personal data and service provider relationships.

Sephora took issue with California’s definition of the word “sale” but respected the “perspectives and guidance” provided by the office of Rob Bonta, the attorney general of California, and said it respects customer privacy. Sephora’s settlement does not require the company to admit wrongdoing or liability.

Mr. Bonta told NBC News that the move represents the first real enforcement of the California Consumer Privacy Act (CCPA). The law began going into effect via a phased implementation in 2020. Since California has begun pursuing enforcement in earnest, more than 100 notices of violations have been sent to other companies, which have 30 days to address the violations.

While the CCPA is the first data protection law of its kind in the U.S., it was inspired by privacy legislation developed earlier in the European Union.

In 2018, the European Union adopted the Global Data Protection Rule (GDPR), a law that gives EU citizens the right to have more granular control of their personal data. The GDPR goes as far as to grant EU citizens the right to have their data deleted at their request under certain circumstances. It also demands that businesses adhere to frameworks for data privacy, such as “data protection by design” and “data protection by default,” which ensure, respectively, that systems are built with privacy in mind and that the highest level of data privacy is the default setting for users.

A recent study found that in the U.K., nearly half of retailers large and small have been fined for GDPR violations, particularly violations pertaining to video surveillance and the storage of video data, according to Security Magazine.

BrainTrust

"I'm glad to see the State of California taking this seriously. I wish the rest of the country would adopt similar legislation."

Gary Sankary

Retail Industry Strategy, Esri


"Walls of walled gardens will get higher. There is a lot of irony here."

Joel Rubinson

President, Rubinson Partners, Inc.


"This seems to be more of a money raising exercise than a policy to protect consumers."

Neil Saunders

Managing Director, GlobalData


Discussion Questions

DISCUSSION QUESTIONS: What impact do you see the Sephora settlement having on how retailers use and sell data, both in California and throughout the U.S.? Do you think the laws will benefit consumers?

Poll

14 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Neil Saunders
Famed Member
1 year ago

GDPR is a disaster of a policy and like much European Union legislation it is heavy handed and onerous. The law is so unwieldy and complex that it’s hardly surprising almost half of UK retailers have been issued fines. This seems to be more of a money raising exercise than a policy to protect consumers. Indeed, Amazon was fined around $877 million for something to do with cookie consent which seems disproportionate. By comparison, California’s laws and punishments seem quite reasonable.

Mark Ryski
Noble Member
1 year ago

Privacy is a real issue and it has serious consequences. Retailers must take privacy seriously. Brand loyalty is based in part on trust. Sephora’s loyal customers trust the company to do the right thing. Stewardship of the consumer’s data is part of that trust. While I doubt that this one case will have a dramatic impact on how retailers are operating today, I believe it’s a sign of things to come. Consumers should have a say in how their data is used.

Gary Sankary
Noble Member
1 year ago

I’m glad to see the State of California taking this seriously. I wish the rest of the country would adopt similar legislation. Consumers should not “opt out” of being tracked or having their details sold everywhere. On the contrary, companies should be required to have them “opt in.” I get a bit crabby when I see opt out options on websites and emails, attempt to do so, and then learn that it only applies to California residents. Perhaps more importantly, when consumers do opt in, retailers really need to be good stewards of their data. This is a trust and brand issue. Sadly the track record is relatively poor when it comes to good stewardship, which is why these laws are being enacted.

Gene Detroyer
Noble Member
1 year ago

The action by California is a warning shot to protect consumers. Companies will not develop two systems, one to meet the California standards and one that doesn’t. Other states will surely follow. This is a big BRAVO for consumers.

Shelley E. Kohan
Member
1 year ago

Sephora’s settlement will be a wake up call for all retailers. Data privacy is increasingly more important as data sharing becomes more prolific. Consumers grow weary of their data being shared unknowingly. Even when consumers “accept” a retailer’s policy on privacy, most of them do not read the fine print of the policy. Policies and practices should be transparent and easy for consumers to understand. The opt in process allows a better chance of success for retailers to be transparent about data sharing. Consumers should be protected and have a say in how their data is shared. Most consumers are fine with their favorite retailers using data to create a better shopping experience, so a transparent process for consumers to understand HOW their data is to be used is critical. CA has always been stringent in terms of human resource and consumer protection policy so retailers can be conservative and create policies that align with CA regulations. Play it safe and protect the consumer.

Tara Kirkpatrick
1 year ago

I think the public clean up will benefit Sephora. As more people download more apps, the collective concern about personal data privacy is growing, but the resources and education for individuals to decode terms and agreements and take action to protect themselves is limited. As evidenced by a viral Instagram story last week about Instagram tracking “precise location,” people realize they are at risk and do not know enough. Since Sephora will be clarifying its language and actions as a result of this, I believe users will be more likely to forgive, knowing that they can at least trust the business moving forward.

David Spear
Active Member
1 year ago

In the first 18-24 months of GDPR enactment, there were tens of thousands of violations and several of them resulted in big fines such as Google’s $56 million fine in 2020. No doubt we’ll start to see many more of these in the U.S., hence the 100 or so pending cases with CCPA. Sephora’s fine ought to be a shot over the bow for other retailers. If they’ve been cavalier about their overall data strategy and security protocols, I would advise them to change immediately and make it a high priority. Understanding inflow/outflows, and how golden records are being stored and used will be useful in reducing legal exposure for the short and long term.

Joel Rubinson
Member
1 year ago

One aspect is that the most stringent laws will drive corporate privacy policies as global companies do not want a patchwork of rules. From an ad measurement point of view, it will lead to differential privacy like Facebook releasing cohort data so no ID’s individual data exposure is revealed. Google will eventually strip IDs out of their ad server log files. Walls of walled gardens will get higher. There is a lot of irony here. Killing the third party cookie for privacy is a paradox as it was actually a highly anonymous identifier. You might see the same ads over and over but no one knew who you actually were! Apple has taken a highly restricted view regarding mobile ad IDs (MAIDs) and opt in yet Apple itself knows everything about me. The one shoe I hope never drops but I’m afraid it might is frequent shopper data offered by IRI, Nielsen, Catalina. That is a major advantage for CPG marketers who leverage it for targeting.

Shep Hyken
Active Member
1 year ago

Let this be a warning to the brands and organizations that have customer data. Manage it the right way!

Dion Kenney
1 year ago

This is the proverbial “shot across the bow” of the tech industry. States (and consumers!) have been grappling with this issue for decades. While it won’t have an overnight impact, you can already hear the discussions in boardrooms about the consequences to business practices. Hopefully the days of the data privacy Wild West are coming to an end.

Ananda Chakravarty
Active Member
1 year ago

More caution about using customer data. This is the law in California and it’s good that they are enforcing it. It’s also good business practice. Companies that misuse customer data, especially public facing companies like retailers, will face public outrage and backlash if the activity is not curtailed. Customers sharing data will move to more transparent retailers and this will open the door for new competitors over time.

storewanderer
storewanderer
Member
1 year ago

$1.2 million doesn’t sound like much of a fine to me….

This entire business of selling customer data won’t go away and will just change in form to run around these new laws. But it is a nice gesture I suppose.

I’d be curious how the credit card purchase data sold by the card issuers comes into play with this CA law. Or does the law only target retailers?

Craig Sundstrom
Craig Sundstrom
Noble Member
1 year ago

S1.2 million: that’ll teach em! unless of course they profited by $1.3M … or $1.8M or $50M or … well, you get the idea: unless a penalty is truly punitive, it’s likely to be seen as (just) a cost of doing business.

AG Bonta is fond of grandstanding press conferences — I used to get weekly emails on them — but I’ll take a more guarded approach to assessing how effective this ends up being.

Ken Lonyai
Member
1 year ago

This is mostly a non-story. Alphabet for example, has proven repeatedly, globally, that there’s more benefit to large enterprises to disregard privacy laws and take the occasional slap on the wrist, than respecting their users and abiding by privacy regulations. Some companies will see this as a warning and others will continue the disregarding model.