Sephora to Pay 1.2 million USD for CCPA Violations

Sephora to Pay 1.2 million USD for CCPA Violations

Feb 21 2023 8:35 PM

California has fined Sephora 1.2 million US dollars for allegedly selling customer data without consent. According to reports, the company collected and sold consumer information to advertisers without informing their customers first. The law governing this is the CCPA (California Consumer Privacy Act), passed earlier this year. 

Sephora sold customer info without consent.  

The fine comes from an investigation by the state attorney general, Rob Bonta, into non-compliance with the California Consumer Privacy Act, which went into effect in 2020. 

The company is being accused of selling customer information to advertisers without their knowledge or consent, something that could have been done in violation of the CCPA.  

The CCPA requires businesses to inform consumers about who accesses their personal data and how it is used.

Businesses must also obtain explicit permission from customers before selling their personal information to third parties for advertising or otherwise using it for marketing purposes‚ÄĒsomething Sephora was not doing prior to receiving its massive fine from California.¬†

Sephora Inc., headquartered in New York City with additional locations throughout Europe and Asia, is a subsidiary company of LVMH Mo√ęt Hennessy Louis Vuitton SE (LVMH).¬†

More fines are coming 

The California attorney general is investigating several online retailers for CCPA non-compliance. The sweeping investigation, announced on Wednesday, is the first of its kind. 

"If you are an online retailer and you're collecting personal data from Californians, you need to protect it‚ÄĒand we will hold you accountable," Attorney General Rob Bonta said in a statement. ¬†

Millions were said to be put at risk by Sephora's non-compliance 

The California Department of Justice announced that Sephora had been fined $1.2 million for failing to comply with CA's data privacy laws.

The non-compliance means millions of Californians were denied their rights under the law and exposed to potential harm from identity theft or other frauds - all because Sephora refused to tell its customers how third parties were using their personal information. 

Consumers need to be able to make informed choices about how their personal information is used and shared online--but only if they have access to accurate information about what happens with this data in the first place! 

The CCPA (California Consumer Privacy Act) governs data privacy law 

The California Consumer Privacy Act mandates that businesses disclose how they use customer data. In other words, for every information about a consumer that it collects and stores‚ÄĒincluding name, address, purchase history, and online browsing habits‚ÄĒa business must disclose whether or not it shares that information with third parties. ¬†

Sephora didn't do enough to notify customers. 

The company has been fined for failing to inform its customers that they were selling the data collected from their online and app purchases.

According to a press release from the California Attorney General's Office, there are several ways Sephora violated this act: 

  • They sold consumer data that they obtained through website and app purchases.¬†

  • They failed to honor requests made by consumers who opted out of having their information sold.¬†

  • They traded consumer data for better advertising and targeting opportunities with other companies.¬†

Businesses need to know what the CCPA is and ensure compliance 

The first step in compliance with the California Consumer Privacy Act is to use the right tools and approaches. 

You also need to train your employees. This can include training them on how to provide their customers with a privacy policy that addresses their needs and is easy to understand.  

You need to train your customers on how they can manage their personal information within each account so that they know what information is being collected and shared; where it's stored; who has access (including third parties); and what security measures are in place to protect it from unauthorized access or misuse. 

Training should also be provided for vendors who have access to consumer data to provide their services (e.g., cloud providers). 


We know that compliance can be a challenge for businesses. But you don't have to do it alone! Contact us today for more information about how we can help your company stay compliant with new privacy laws like the CCPA.

Subscribe to our newsletter

By clicking ‚ÄúSUBSCRIBE‚ÄĚ you agree to Adzapier‚Äôs privacy policy and terms & conditions

Want to Keep Reading?

Any information obtained from the Adzapier website, services, platform, tools, or comments, whether oral or written, does not constitute legal or regulatory advice. If legal assistance is required, users should seek legal advice from an attorney, a lawyer, or a law firm.

sourceforge  5 star user review badge slashdot 5 star user review badge IAPP bronze member badge IAB Europe approval badge - transparency and consent framework - registered Consent management platform
© 2023 Adzapier. All rights reserved.