The alignment problem with sale of data

In August 2022, the California Office of the Attorney General announced a $1.2 million settlement with international cosmetic retailer Sephora for violations of the California Consumer Privacy Act. Following this announcement came a wave of questions about the regulator’s emphasis on the broad interpretation of the CCPA’s “sale of data” and adoption of the Global Privacy Control. The interpretation of a “sale” of personal data has been a lingering issue since the passage of the CCPA. Variations between existing U.S. state consumer privacy laws and the proposed American Data Privacy and Protection Act, industry groups’ definitions and self-regulatory guidance and the California attorney general’s focus on technical compliance highlight a lack of consensus on how to implement compliant “sale” and sharing of personal data across organizations and industries.

This white paper provides insights on:

• How privacy professionals across ten industries responded to the Sephora enforcement action.
• How privacy professionals are updating their practices to account for the expansion of “sale.”
• The technical, legal and business lenses different organizations use to review existing processes and create new ones.