Brands Review Data Privacy Policies After $1.2 Million Sephora Settlement

More marketers are taking notice of California’s data privacy laws after the state said last month that cosmetics retailer Sephora had agreed to pay $1.2 million in penalties for alleged violations related to its targeted advertising practices.

Many companies affected by the California Consumer Privacy Act, which came into effect in 2020 after being passed in 2018, didn’t take significant steps to ensure compliance because they believed that the regulations didn’t apply to them or that the risks were minimal, according to advertising executives and advisers.

They have been more focused on the European Union’s General Data Protection Regulation, which has led to nine-figure fines for tech giants including Meta Platforms Inc. and Inc.

“A lot of companies said, ‘I’m too small, no one’s going to find me, I’ll just wait.’ So now they’re scrambling.”

— Jodi Daniels, CEO of Red Clover Advisors

But some experts said these companies may be in for a rude awakening after Jan. 1. That is when the California Privacy Rights Act, expanding and amending CCPA, takes effect and the 30-day cure period previously granted to businesses accused of violating the law disappears.

“A lot of companies said, ‘I’m too small, no one’s going to find me, I’ll just wait.’ So now they’re scrambling,” said Jodi Daniels, founder and chief executive of privacy consulting firm Red Clover Advisors LLC. “There will be more Sephoras.”

More than 100 public and private companies received letters from California Attorney General Rob Bonta as part of the 2021 sweep of large retailers that led to the Sephora settlement, and many more letters have gone out to comparable businesses in recent weeks as part of a new sweep, according to a spokesperson for the attorney general’s office.

Some companies that have received letters have complied or begun working toward compliance, while others remain under investigation, the spokesperson said.

A spokeswoman for Sephora, which is which is owned by French luxury products company LVMH Moët Hennessy Louis Vuitton SE, said the company has been working with Mr. Bonta’s office since receiving the letter in 2021, and that a more recent review of its practices by the state found no concerns related to CCPA.

Marketing trade organizations like the Association of National Advertisers have pushed for a federal privacy law that would simplify the compliance process, and Congress recently debated a bipartisan bill. But the bill is unlikely to pass with midterm elections approaching, observers said.

For now, laws like CCPA that apply to any business with customers in the states where they were passed will serve as de facto national regulations. Similar laws will take effect in Virginia, Colorado, Connecticut and Utah next year.

Newfound clarity

Ms. Daniels said her privacy consulting firm has been discussing the matter with retailers, publishers, tech companies and business-to-business marketers that handle large quantities of consumer data but have little understanding of the law’s requirements.

Direct-to-consumer businesses that rely heavily on email sign-ups and targeted ads are also in the spotlight, said Mike Grillo, vice president of marketing at financial tech company Ampla Technologies Inc., which provides financing to startups.

The biggest losers could be marketers at small-to-midsize businesses who did not realize that the regulations would apply to them, said Daniel Goldberg, partner at New York-based media and ad industry law firm Frankfurt Kurnit Klein & Selz PC.

Many companies didn’t realize that the sharing of data could violate CCPA, even when they used tools like Google’s Marketing Platform that let users opt out of some targeted advertising, Mr. Goldberg said.

A separate point of contention for marketers was the fact that the CCPA’s definition of “sale” included sharing consumer information with outside parties regardless of whether money is exchanged. Many companies delayed compliance because they disagree with that definition and don’t want to tell consumers that they sell data, he said.

The Sephora case was both “a warning shot” and “an effort to remove any potential residual doubt that an opt-out is and will be required—whether for sale or for sharing of data for targeted advertising,” said Arielle Garcia, chief privacy officer at Interpublic Group of Cos. media agency UM.

Big advertisers since 2019 have been discussing CCPA and its regulations of so-called tracking pixels that let businesses target ads to people who have visited their sites, said Ms. Garcia. But they’re now paying more attention to CPRA’s expansion of consumers’ ability to limit the collection of sensitive personal information, including IP addresses and location data, she said. That rule in particular has gained more attention in light of the U.S. Supreme Court’s decision to repeal the national right to an abortion.

The Sephora case also facilitated new conversations about marketers’ use of behavioral data, as well as the so-called Global Privacy Control tool, which lets people opt out of data collection on the browser level rather than having to click individual businesses’ opt-out buttons, Ms. Garcia said.

More than 100 companies received letters from California Attorney General Rob Bonta as part of the 2021 sweep of large retailers, and more letters have gone out in recent weeks as part of a new sweep.

Photo: Rich Pedroncelli/Associated Press

California’s decision to require businesses to recognize GPC more than one year ago further complicated the compliance process, because CCPA didn’t initially contain any language related to the tool, Mr. Goldberg said. The state’s determination that Sephora didn’t process global opt-out requests played a key role in the attorney general’s decision to take action.

Bring in the CMO

Data policies have traditionally been the responsibility of a company’s legal counsel or privacy director, experts said, but marketing executives are becoming increasingly involved because California’s regulations focus on practices typically managed by the marketing department.

Ya Ya Creations Inc., which owns e-commerce sites such as party supply retailer, is reviewing its so-called remarketing practices to make sure they don’t violate the law before the Jan. 1 deadline at the suggestion of its advertising and web development firm X Agency, said Marguerite Gockel, executive vice president of marketing.

Remarketing refers to the use of online behavioral data, such as items that someone placed in an online shopping cart but didn’t buy, to target consumers with paid promotions across various websites and platforms.

Tech platforms have also played a role in helping businesses comply with the laws. Mr. Grillo of Ampla said many of his company’s clients use Meta’s Limited Data Use feature, as well as a tool provided by e-commerce company Shopify Inc. that automatically generates language they can use to describe their privacy policies, as required by CCPA.

For now, the potential risks of ignoring the law are greater than the costs of compliance, because companies know that a public settlement can damage their reputation in addition to their bottom line, said Ms. Daniels, the privacy consultant.

“People see a headline about Sephora and everyone thinks they sold data,” she said. “They don’t understand the details of the situation.”

Write to Patrick Coffee at

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8