Third-party tracking pixels as sale; GPC ignored
The first public CCPA enforcement settlement, arising from an AG sweep of online retailers. Sephora allowed third-party companies to install tracking software on its website and app, enabling those companies to build consumer profiles from device identifiers, shopping cart contents (including eyeliner brands and prenatal vitamins), and precise location data. Sephora received targeted advertising capabilities in return. The AG found this value exchange (data for advertising services) constituted a sale of personal information under the CCPA even though no money changed hands, establishing the foundational principle that in-kind benefit suffices.
Sephora failed on two fronts: it did not disclose in its privacy policy that it was selling personal information, and it did not honor opt-out requests transmitted via the Global Privacy Control. The case was also notable for the failure-to-cure finding: Sephora did not remedy the violations within the 30-day cure window then available under the CCPA, foreclosing that defense.
The settlement requires Sephora to pay $1.2 million in civil penalties, affirmatively disclose data sales in its privacy policy, implement opt-out mechanisms including GPC recognition, bring service provider agreements into CCPA compliance, and submit annual reports to the AG on its data sale activity and GPC compliance. Announced simultaneously, the AG sent cure notices to additional unnamed businesses for the same GPC failure pattern, warning that the CCPA’s notice-and-cure provision would expire January 1, 2023.