California’s Sephora Enforcement Action – What Does It Mean for Australian Organisations?
While million-dollar fines are commonplace in Europe, the $1.2million settlement following the Sephora Enforcement Action is the first of its kind in the US. Learn why this settlement is significant and what is means for Australian organisations in this post:
Sephora Privacy Complaint & Settlement
The complaint against Sephora focused on the retailer’s practice of transferring data to third parties. California’s Attorney General (AG) alleged that this transfer amounted to a sale of data and, as a result, Sephora should have had a “Do Not Sell” link on its site.
It alleged the transfer was a sale because the third parties received the data in exchange for free or discounted analytic reporting to Sephora. The third parties were generally permitted to keep the personal information about an online shopper’s activities and use it as they wished.
Under the settlement, Sephora must:
- Pay $1.2 million in penalties;
- Allow users to opt-out of the sale of personal information;
- Update its service provider agreements; and
- Report to the AG about the sale of personal information, service provider relationships, and its efforts to honour the Global Privacy Control.
It is worth noting that the costs of the settlement will exceed the $1.2 million penalty. The costs of complying with the settlement provisions and reporting requirements will be expensive. Sephora will also need to manage the damage to its reputation for its poor privacy practices.
Key Takeaways from the Sephora Enforcement Action: What Can Australian Organisations Learn?
Understand Your Data Flows
It is becoming increasingly important for organisations to know, understand, and map data flows.
To remain compliant and competitive, you should:
- Know where, when, and for what purpose your organisation collects data – especially if it is sensitive personal information.
- Have a map identifying where that data flows, including to any third parties.
- Consider adopting very transparent disclosures about your privacy practices and data use. You should use clear and easy-to-understand language.
- Make it easy for your customers to access and control their personal information.
- Consider updating your website’s functionality to honour global opt-out mechanisms, like the Global Privacy Control.
California Poised to Enforce Global Privacy Control (GPC) & Opt-Out Mechanisms
The Global Privacy Control (GPC) is a mechanism that reduces the amount of work internet users need to do to manage their personal information while browsing the internet. It does this by sending a ‘Do Not Sell” signal to every website the user visits. This automatically opts users out of the sale of their personal information collected online.
This settlement makes it clear that California intends to require organisations to comply with the GPC. If you collect data from residents in California, you’ll need to ensure your website is set up to comply with universal opt-out signals, like the GPC.
Roe v Wade Relevant Here Too
Roe v Wade and its relationship to privacy also arose in this case. The complaint against Sephora referred to the prenatal and menopause support vitamins sold by the retailer. Since information collected about users browsing this content could be used to infer conclusions about a woman’s pregnancy (and potentially an abortion).
The key takeaway here for Australian organisations is that sensitive information can be collected about customers from a wide range of data sources. Any practices your organisation has that involve the collection of sensitive information, directly or indirectly, should be carefully considered. If you ultimately decide to proceed with the collection, storage, and/or use of sensitive information, the risks of doing so must be managed.
To learn more about the relationship between Roe v Wade and privacy rights in the US, attend a free webinar on 26 October.
Or speak with one of our privacy lawyers about your organisation’s data privacy practices. We’d love to help.