August 26, 2022
Wednesday, August 24 marked the end of the quiet period for enforcement of the California Consumer Privacy Act (CCPA).
Attorney General Rob Bonta’s office fined Sephora, a large cosmetics retailer owned by LVMH, $1.2 million. This is the first fine under CCPA. The AG’s office also sent notice and cure letters to more than 100 other businesses, giving them 30 days to correct violations.
Sephora allegedly installed third party trackers to build profiles on visitors. But what got them in real hot water with the AG was their claim they didn’t sell personal information. Under the CCPA, Sephora’s sharing of data qualified as a sale.
Bonta’s statement was unequivocal: “It’s time for companies to get the memo. Protect consumer data. Honor their privacy rights. The kid gloves are coming off.”While regulators are expected to have patience with companies that show good faith effort—like auditing with Boltive Privacy Guard—they will have a short fuse with companies that don’t enact privacy protections.The Sephora judgement reminds companies they must avoid:
Boltive helps businesses protect against all three areas.
Last year around this time Bonta’s office published an anonymized list of warning letters it sent out. This fine appears to be the kickoff for CCPA enforcement.
Watch out next year. In California on January 1, the stricter version of California’s privacy law, CPRA, takes effect, with stronger do not share provisions and tighter obligations to contract with and monitor third parties.
Also on that day, the 30 day cure period for companies to fix violations. goes away. Finally, there will be two sheriffs: the California Privacy Protection Agency (CPPA) and the Attorney General enforcing California privacy laws.
Other state laws will take effect, such as Virginia and January 1, Colorado and Connecticut July 1, and Utah December 31. Even in states without privacy laws, nearly all prohibit deceptive business practices such as false representations. These states could prosecute situations like Sephora’s where firms claim not to sell data but then allegedly do.Finally, at the federal level, we may have the national law (ADPPA) and or rulemaking and enforcement by the FTC.
“Following consumer outcry, regulators realize excessive data sharing is a threat to more people than data theft,” said Dan Frechtling, Boltive CEO. “Boltive Privacy Guard makes it simple for brands show the highest privacy standards to preserve consumer trust.”
Today, making sure consumers don’t see your ads is just as important as making sure they do. In a new privacy-oriented world, data sharing can create liability more often than data theft does. Privacy Guard uses patented technology to simulate your users journey on the web and captures and aggregates real ads being served in real time, delivering the key insights you need to keep your consumer data — and your brand reputation — safe.