Beauty goliath Sephora has been fined US$1.2m in a settlement after allegedly breaching the California Consumer Privacy Act (CCPA).
Customers were not informed that the retailer was selling their data, according to Bloomberg.
The report added that Sephora had also failed to honour consumer requests of opting out from their information being sold.
The fine marks the very public enforcement action brought under the 2018 act, and comes after over 100 online retailers were spot-checked to assess their compliance with the act.
The CCPA was implemented in 2018 to give consumers more control over the personal information that businesses collect about them.
The landmark law secured new privacy rights for California consumers, including the right to know about the personal information a business collects about them and how it is used.
It also gave people the right to delete personal information collected from them.
The CCPA applies to for-profit businesses that do business in California that have a gross annual revenue of over $25m.
It also applies to companies which buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices.
This is in addition to businesses which derive 50% or more of their annual revenue from selling California residents’ personal information.
“Sephora respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience,” a spokesperson for Sephora said.
“It is important to note that Sephora uses data strictly for Sephora experiences. However, the California Consumer Privacy Act (“CCPA”) does not define 'sale' in the traditional sense of the term.
“‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalised shopping experiences and ads.
“Consumers have the opportunity to opt-out of this personalized shopping experience by clicking the “CA – Do Not Sell My Personal Information” link on the footer of the Sephora.com website or by using a browser that broadcasts the Global Privacy Control.
“Sephora was not the target or victim of a data breach, and this agreement with the California Office of the Attorney General (“OAG”) does not constitute an admission of liability or fault by Sephora.
“We have always cooperated fully with the OAG and Sephora’s practices are already in compliance with the CCPA.
“We respect the perspective and guidance provided by the OAG and understand the importance of the continually evolving requirements around consumer privacy.”