Beauty retailer Sephora was fined $1.2 million by California Attorney General Rob Bonta and is the first-ever California Consumer Privacy Act enforcement action. At the heart of the matter is Sephora allegedly misrepresenting its actions to California consumers (saying that it did not sell consumer personal information despite the fact it engaged in targeted advertising, thereby “selling” data to third-party companies) and failing to provide for or recognize global opt-outs “including … the Global Privacy Control." Nowhere on their website or app did it clearly list a “Do Not Sell My Personal Information” link. This means Sephora sold the data of users who legally opted out via a global privacy setting.

The various information that Sephora tracked and sold without proper disclosure or opt-out capability included geolocation and network activity with both analytics partners and advertisers. Sephora allegedly gave this information in exchange for analytical or advertising services. The retailer was not covered by any exemptions to user consent, as they had no valid third-party service provider contracts.

This enforcement is a case study in noncompliance, how marketing and privacy intersect, and what companies should do to avoid the glare of the attorney general. Before understanding what companies should be doing to avoid a similar enforcement action, it’s important to understand how privacy laws such as the California Consumer Privacy Act now interpret targeted advertising as a sale of data.

Consumers care about privacy

A recent 2022 Integral Ad Sciences report found 99% of consumers “agree that privacy is important while browsing online.” Sixty-seven percent of consumers agree that “they are more vigilant about their online data and privacy than ever before.” Meanwhile, “68% of consumers are uncomfortable with their online data being used for advertising purposes.”

There is often a pull between marketing and privacy. A marketer’s job is to help promote the brand, attract new customers and inform current customers about all the products and services they should purchase. 

In our increasingly busy lives, marketing is about targeting the right audience. In the $72 billion direct mail advertising market, it has been a practice for years that data is purchased from entities such as data brokers and credit card companies — I’ve even had direct mail marketers say the lists are shared amongst themselves so that retailers can send hopefully the right catalog to just their ideal customer. 

Internet marketing has gone through many iterations, starting with placing basic ads on a website (here’s a fun flashback to internet ads including popups) to the late 2000s era of aggregating websites into ad networks. This aggregation allowed advertisers to once again target ads to their ideal demographic.

As the adtech ecosystem matured with more complex measurement and targeting tools, a single tag eventually could house multiple tags, and pixels would drop multiple cookies on users’ computers. These pixels were originally referred to in the advertising industry as “non-personally identifiable information” and were shared amongst hundreds of companies, which in turn built profiles or algorithms. A classic example: A Facebook pixel drops on a publisher’s site. The publisher shares this data back to Facebook. Facebook adds it to its algorithm. The publisher runs a targeted campaign on Facebook based on the people who visited their site and engaged with the Facebook ad. 

When a company gives information such as geolocation, browsing and networking activity in exchange for analytical or advertising services, California clearly says it will be treated as a sale as this was an exchange for other valuable consideration.

Sale within the context of the CCPA is defined as:

“... Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration under its definition of sharing of data for other valuable consideration.”

Opt-outs and Global Privacy Control

While cookie banners have been around for a while (thank you, 2011 ePrivacy Directive), the EU General Data Protection Regulation made them popular. The philosophy behind the cookie banner is to inform customers about the type of cookies placed on a website, for what purpose, and to allow the individual choice over cookies. There’s been discussion that the cookie banner has backfired. In its current state, it is cumbersome to accept or reject on each individual website. Cookie banners are not the best user experience and most consumers don’t have a clue about any of the adtech vendors are to make an informed decision to opt-in or opt out. 

Global Privacy Control is a new alternative to let consumers exercise control at the browser level and is supposed to help in the long-term with cookie banner overload. Several of the state attorneys general offices, including California, have stated that they expect companies to adhere to the GPC. In the California attorney general’s press release on the Sephora fine, specific mentions of the GPC state the expectation of its implementation.

Why some companies don’t agree

Over the last several years I have had many conversations with companies, marketers and even privacy attorneys who do not agree with this definition of sale and have proceeded business as usual, with no reference to sale of data in the privacy notice and no “do not sell my personal information” link.

The arguments were that the advertising companies were service providers, other companies weren’t doing it, and overall, there is not agreement with the wide-reaching definition of “sale.” Many, including Sephora, stated the “CCPA does not define ‘sale’ in the traditional sense of the term. ‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.”

All companies should heed this CCPA enforcement action as notice and ensure they are complying accordingly.

The cost of noncompliance

Noncompliance with laws takes a significant toll on a company. It costs money to hire attorneys and privacy professionals. It takes time that otherwise could be dedicated elsewhere. It always takes longer to react than be proactive. A search for “CCPA Sephora Fine” listed 12,600 search results — plenty more negative press than Sephora likely wanted.

For a company that only meets the definition of sale through targeted advertising, most of their customers will not know the nuanced difference. Customers who see the headline “Sephora settled for $1.2M for sale of customer data” might be alarmed and think all their personal information was sold directly to a third party. Some customers do not want any data sold and that’s why 38% of consumers use an ad blocker and why 51% of consumers cleared browser cookies.

Per the settlement, Sephora must not only remediate but create a program to implement and maintain to ensure the opt-out process of opt-out.  Any tracking technologies and third parties that Sephora will share data with must go through an internal review process and the company must provide annual reporting to the California Attorney General’s Office. The first report is due within 180 days of the settlement and for two years thereafter.

Whether companies or privacy professionals agree or not is no longer left for debate. California Attorney General Rob Bonta made it clear that targeted advertising is a sale of data and companies need to comply. 

In a public statement, Bonta said: “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Lessons learned

With this in mind, companies should ensure compliance with the following steps:

1. Data inventories

Perform a data inventory of all business process activities. It is important to take not only a lens that identifies which system stores what type of data elements but to take a business process approach. When identifying business processes such as digital marketing and email marketing, the focus can be on the use of data and not just the kind of data and what system it’s stored in. Through this method of identifying the business processes, systems and data are identified by the specific processing activity and it becomes clear why and how data is used to better flag any potential sales of data. For example, a system-first approach only identifies that email, name and phone are stored in Salesforce and Hubspot. It does not explain why it is used or by whom in the company or where else it might be shared. A business process approach would identify that the company engages in email marketing and that the data elements collected in that process are name and email — these are stored in Salesforce and Hubspot and are used by the marketing teams and sent to an outside agency. In another business process such as custom audience targeting, the documentation would capture that the company is using email and phone stored in Salesforce and that this data is shared with a social media platform. The business approach catches how data is used and the sharing of this data to a third party. It also would flag processes that could be selling data.  

2. Website scans

Marketing departments should be active participants in a data inventory. Specifically related to targeted advertising, a cookie scanning tool is an important part of this process and will help identify any other potentially hidden tags that the website did not specifically place and may have been added by a digital agency (these are often known as fourth-party tags). The scans should be performed on all landing pages, including those not a part of the main website, such as a one-off webinar, special event or opt-in page. 

3. Provide the proper opt-outs

Companies should include the “do not sell my personal information” link in the footer just like where the privacy notice typically is located. Using a cookie consent tool will allow for easier management of listing all the cookies the user can opt in or out of. If it is not already implemented, now is also the time to get Global Privacy Control up and running. 

4. Update the privacy notice

Marketing and privacy professionals should work together to ensure the privacy notice accurately reflects what type of cookies and tracking technologies are included and how they are used. I always like to say that the privacy notice is meant to “say what the company does and then the company needs to do what it says.” The information gathered in the data inventory and website scan will be valuable here. The privacy notice should describe the types of cookies used, for what purposes, any data that is “sold” and how individuals can exercise their choices.

5. Set regular touchpoints between privacy and the business

Privacy and marketing are year-round activities. Privacy and the business, especially marketing, should work together all year long. This can include participating in marketing strategy sessions, reviewing new campaigns and evaluating new vendors — especially how data may be used by them. There is a lot of discussion about “shifting left in privacy" when it comes to engineering. We need to “shift left” in marketing too (and maybe even in the business too!).

Conclusion

Customers want to trust that the brand will deliver on the goods and services they purchase. I believe it is the privacy professional’s role to work with the business to build trust. Companies need to heed the signal from this first enforcement action that targeted advertising is a sale of data. The companies that go above and beyond that requirement and emphasize how privacy is integral to their business activities will stay out of the attorney general office’s attention and also win the trust of individuals.