Capitol Alert

California settles $1.2 million suit with Sephora, claiming it secretly sold customer data

By Lindsey Holden
In this 2017 file photo, shoppers visit a Sephora boutique inside a JCPenney store in New York. The makeup retailer must pay $1.2 million after settling a California data privacy lawsuit.
In this 2017 file photo, shoppers visit a Sephora boutique inside a JCPenney store in New York. The makeup retailer must pay $1.2 million after settling a California data privacy lawsuit. Mark Lennihan Associated Press

Makeup retailer Sephora will pay California $1.2 million and make changes to its privacy policies after the company allegedly sold customers’ data without their knowledge, under a settlement announced Wednesday.

Attorney General Rob Bonta said Sephora, which sells cosmetics and beauty products online and at stores around the country, violated the California Consumer Privacy Act and didn’t correct its policies when given the opportunity.

The retailer allegedly sold customers’ personal information without notifying them and didn’t process requests to opt out of data sales. The Attorney General’s Office said Sephora allowed third parties to make profiles of customers by tracking information about the brands of computer they used to make online purchases, as well as the types of products they put in their website “shopping carts.”

During a press call, Bonta said his office had sent out “100 plus” notices of Consumer Privacy Act violations prior to Wednesday. The office sent “over a dozen more” on Wednesday morning, Bonta said.

He declined to name the businesses that had received violations, citing ongoing investigations.

“I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law,” Bonta said in a statement. “My office is watching, and we will hold you accountable.”

The settlement does not force Sephora to admit fault or liability. It does require the company to make its online disclosures and privacy policy more clear, provide opt-out mechanisms, conform service provider agreements to the Consumer Privacy Act rules and report to the Attorney General on its personal information sales.

“Sephora respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience,” the company said in a statement.

Sephora said it “uses data strictly for Sephora experiences.”

“However, the California Consumer Privacy Act does not define ‘sale’ in the traditional sense of the term,” the statement said. “’Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.”

The state’s Consumer Privacy Act, which former Gov. Jerry Brown signed in 2018, gives California consumers the right to know that a business is collecting and using their information and the right to opt out of data sales.

The Attorney General’s Office also requires companies that do business online to honor Global Privacy Control services offered through internet browsers. Users can set their privacy preferences in the browser, which sends signals to businesses about which consumer data they can and cannot use.

This story was originally published August 24, 2022 at 1:38 PM.

Related Stories from Sacramento Bee
Get one year of unlimited digital access for $159.99
#ReadLocal

Only 44¢ per day

SUBSCRIBE NOW