SAN FRANCISCO — California has its first significant settlement under the state’s sweeping online privacy law, and it’s not with a tech company.
California Attorney General Rob Bonta said Wednesday that the state had reached a settlement with Sephora in which the cosmetics retailer will pay $1.2 million and agree to an injunction for selling customers’ data without telling them.
Bonta said the settlement marks the start of real enforcement of the California Consumer Privacy Act, which has been taking effect in stages since 2020 and covers the state’s 39 million residents.
“The kid gloves are coming off,” Bonta, a Democrat, said in an online news conference. “There are no more excuses. Follow the law. Do right by consumers.”
It’s the first settlement that Bonta’s office has reached under the law, which also allows some lawsuits by consumers themselves.
Bonta’s office said it conducted a sweep of online retailers and found Sephora’s failure to disclose, as well as failures to process people’s requests to opt out of the sale of information. The sale in question was an arrangement between Sephora and third-party companies to monitor customers as they shopped, the office said in a news release.
Sephora, a subsidiary of Paris-based luxury conglomerate LVMH, took issue with calling that arrangement a “sale” of data in the usual sense.
The California law “does not define ‘sale’ in the traditional sense of the term,” Sephora said in a statement. “‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.”
“Sephora was not the target or victim of a data breach,” the company added, saying it respects “the perspective and guidance” provided by Bonta’s office and also respects consumers’ privacy.
The settlement, which still needs the approval of a state judge, does not require Sephora to admit liability or wrongdoing.
Big tech companies — many of which call California home — have lobbied to blunt the impact of the state privacy law, assuming they might be among the targets for enforcement.
But the settlement with Sephora shows the potential wider impact of the law. Bonta said his office has sent out more than 100 notices of violations to other companies. Businesses have 30 days to fix the alleged violations or face potential enforcement.