Want to share this?

The State of California fines Sephora $1.2 million for privacy violations under California’s consumer privacy law.

The first public CCPA enforcement sends a strong message to retailers on the importance of proper incident management. Consumer data privacy is not something to take lightly and taking action now can help businesses mitigate reputational harm and costly fines. 

What is the CCPA?

The California Consumer Privacy Act (CCPA) was designed to give consumers more control over the personal information that businesses collect and offers regulation guidance to businesses on how to implement the law. The legislation secures new privacy rights for California consumers, including:

“If your company does business in California, Virginia, Colorado, Utah or Connecticut, I encourage you to get prepared now for the new/updated legislation that will go into effect in 2023,” – California Attorney General.
  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

Sephora agreed to pay the $1.2 million fine and comply with set terms after being found selling consumers’ personal data (despite consumers requesting their information not be sold), California Attorney General Rob Bonta stated in Wednesday’s press release.

The CCPA took effect in 2020 and is the country’s first state data privacy law. Since the beginning of 2021, Virginia, Colorado, Utah, and Connecticut have also passed privacy laws of their own, each set to take effect in 2023. 

California Attorney General, Rob Bonta comments on the incident, cautioning businesses:

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

The Clock is Ticking

As part of ongoing efforts to enforce CCPA, Attorney General Bonta sent notices earlier this week to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests. Businesses that received letters have 30 days to cure the alleged violations or face enforcement action. 

The CCPA’s notice and cure provision requires businesses to receive notice and opportunity to cure before they can be held accountable by the Attorney General for CCPA violations. This expires on January 1, 2023.

As the new year quickly approaches, there has never been a more critical time to prioritize  incident management within your organization. 

RadarFirst offers the only intelligent solution capable of automating the entire incident management lifecycle – keeping your organization compliant with shifts in regulation. Our solution helps organizations of all sizes accelerate efficiency, build customer trust, and embrace digital transformation.  

Verify Your Organization is Meeting CCPA Requirements