Your Privacy Matters

We use cookies to enhance your experience on our site and to support our marketing efforts. Please view our Privacy Policy for more information.

Manage Preferences

California Privacy Compliance Has Irreversibly Changed


August 26, 2022


Wednesday, August 24 marked the end of the quiet period for enforcement of the California Consumer Privacy Act (CCPA).

Attorney General Rob Bonta’s office fined Sephora, a large cosmetics retailer owned by LVMH, $1.2 million. This is the first fine under CCPA. The AG’s office also sent notice and cure letters to more than 100 other businesses, giving them 30 days to correct violations.

What did Sephora do wrong?

Sephora allegedly installed third party trackers to build profiles on visitors. But what got them in real hot water with the AG was their claim they didn’t sell personal information. Under the CCPA, Sephora’s sharing of data qualified as a sale.

Now there’s no longer any doubt the “sale” of data includes the use of cookies and data sharing in targeted advertising.While $1.2 million is less than .1% of Sephora revenue, the company faces injunctions. It must file annual reports that name which entities receive personal information and why.The agreement with Bonta’s office “does not constitute an admission of liability or fault by Sephora,” said the company.

What does this mean?

Bonta’s statement was unequivocal: “It’s time for companies to get the memo. Protect consumer data. Honor their privacy rights. The kid gloves are coming off.”While regulators are expected to have patience with companies that show good faith effort—like auditing with Boltive Privacy Guard—they will have a short fuse with companies that don’t enact privacy protections.The Sephora judgement reminds companies they must avoid:

  1. hidden on-page trackers
  2. failure to process Global Privacy Control
  3. data sharing without consent (especially if the company claims otherwise)

Boltive helps businesses protect against all three areas.

What can we expect next?

Last year around this time Bonta’s office published an anonymized list of warning letters it sent out. This fine appears to be the kickoff for CCPA enforcement.

Watch out next year. In California on January 1, the stricter version of California’s privacy law, CPRA, takes effect, with stronger do not share provisions and tighter obligations to contract with and monitor third parties.

Also on that day, the 30 day cure period for companies to fix violations. goes away. Finally, there will be two sheriffs: the California Privacy Protection Agency (CPPA) and the Attorney General enforcing California privacy laws.

Other state laws will take effect, such as Virginia and January 1, Colorado and Connecticut July 1, and Utah December 31. Even in states without privacy laws, nearly all prohibit deceptive business practices such as false representations. These states could prosecute situations like Sephora’s where firms claim not to sell data but then allegedly do.Finally, at the federal level, we may have the national law (ADPPA) and or rulemaking and enforcement by the FTC.

“Following consumer outcry, regulators realize excessive data sharing is a threat to more people than data theft,” said Dan Frechtling, Boltive CEO. “Boltive Privacy Guard makes it simple for brands show the highest privacy standards to preserve consumer trust.”

Today, making sure consumers don’t see your ads is just as important as making sure they do. In a new privacy-oriented world, data sharing can create liability more often than data theft does. Privacy Guard uses patented technology to simulate your users journey on the web and captures and aggregates real ads being served in real time, delivering the key insights you need to keep your consumer data — and your brand reputation — safe.

Subscribe to our Newslettter
Subscribe to our Newslettter
Subscribe to our Newslettter
Subscribe to our Newslettter

Previous Post

No more posts...

We're fresh out of content!

All Posts

Next Post

You're all caught up!

All the news that's fit to print.

All Posts