It would seem that enforcement of the CCPA, which originally passed in 2018, has begun in earnest. California’s Attorney General (AG) has announced a first of its kind, $1.2m settlement with cosmetics chain, Sephora. With this first settlement providing insight into the legal interpretation of the Act and companies’ risk exposure, what have we learned?
1. The use of third-party cookies for targeted advertising/marketing or even analytics purposes constitutes a “sale” under the CCPA. From the Act’s inception, the question of whether use of third-party cookies counts as “selling’ personal information under the CCPA has been hotly debated by legal and privacy experts. Well, now we have an answer.
Many online retailers allow third-party companies to install tracking software on their websites/applications so as to allow the monitoring of consumers as they shop. The cookies on Sephora’s website allowed third-parties to track the type of computer used by shoppers (MacBook vs. Dell), the brand of prenatal vitamins consumers placed in their online “shopping carts” (revealing the fact that a consumer is pregnant), and even the consumer’s precise location. As provided in the AG’s Announcement, “Sephora’s arrangement with these companies [granting access to personal information in exchange for free or discounted analytics and advertising benefits] constituted a sale of consumer information under the CCPA”.
2. Businesses located outside of California are subject to the CCPA and will be targeted by the state’s AG. The first CCPA settlement was not with a tech company, or a Silicon Valley firm, or even a company located in the state of California for that matter. The first settlement was with a French company, whose website was accessible to California consumers. This settlement should serve as a cautionary tale for companies based outside of California, or even outside the US.
3. What’s the risk? Currently $1.2m. One more than one occasion, an in-house attorney has been asked to quantify the risk associated with a certain course of action. Concerning the CCPA, until this settlement, counsel had to point to the statutory damage language found in the Act (civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation) (deceptively tame in comparison to GDPR fines) and caution as to untold damage amounts associated with loss of goodwill, consumer confidence, and trust. Now we have a concrete settlement amount: $1,200,000 PLUS the unknown cost of bringing the business up to CCPA standards (Sephora must revise its online disclosures and privacy policy, provide mechanisms for consumers to opt out of the sale of personal information, conform service provider agreements to CCPA requirements, etc.). While $1.2m may be a relatively small fine for an international cosmetics giant like Sephora, it certainly is real money. When asked to quantify risk, counsel now have a million-dollar settlement to point to.
The CCPA applies to for-profit businesses that do business in California that collects, shares, or sells California Consumers’ personal data, and meets any of the following conditions: (a) has annual gross revenues in excess of $25m; (b) possesses the personal information of 50,000 or more consumers, households, or devices; or (c) earns more than half of its annual revenue from selling consumer’s personal information. Roberts Law is here to help with any questions or concerns regarding the CCPA and its applicability to your Florida business.
josh@joshrobertslaw.com
(941) 315-4058
Disclaimer: The information in this blog post (“post”) is provided for general informational purposes only and may not reflect the current law in your jurisdiction or the jurisdiction applicable to your issue/matter. No information contained in this post should be construed as legal advice from Roberts Law, PLLC or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.
