Image of the interior of a Sephora store with the Privacy 108 colour overlay

California’s Sephora Enforcement Action – What Does It Mean for Australian Organisations?

While million-dollar fines are commonplace in Europe, the $1.2million settlement following the Sephora Enforcement Action is the first of its kind in the US. Learn why this settlement is significant and what is means for Australian organisations in this post:  

Sephora Privacy Complaint & Settlement 

The complaint against Sephora focused on the retailer’s practice of transferring data to third parties. California’s Attorney General (AG) alleged that this transfer amounted to a sale of data and, as a result, Sephora should have had a “Do Not Sell” link on its site.  

It alleged the transfer was a sale because the third parties received the data in exchange for free or discounted analytic reporting to Sephora. The third parties were generally permitted to keep the personal information about an online shopper’s activities and use it as they wished.  

You can read the Complaint here. 

Under the settlement, Sephora must:  

  • Pay $1.2 million in penalties;  
  • Update its online disclosures and privacy policy to state that it sells data;  
  • Allow users to opt-out of the sale of personal information;  
  • Update its service provider agreements; and  
  • Report to the AG about the sale of personal information, service provider relationships, and its efforts to honour the Global Privacy Control. 

It is worth noting that the costs of the settlement will exceed the $1.2 million penalty. The costs of complying with the settlement provisions and reporting requirements will be expensive. Sephora will also need to manage the damage to its reputation for its poor privacy practices.  

Key Takeaways from the Sephora Enforcement Action: What Can Australian Organisations Learn?  

Understand Your Data Flows 

It is becoming increasingly important for organisations to know, understand, and map data flows.  

To remain compliant and competitive, you should: 

  • Know where, when, and for what purpose your organisation collects data – especially if it is sensitive personal information. 
  • Have a map identifying where that data flows, including to any third parties.  
  • If you transfer or sell data to third parties, you should have agreements in place that dictate the terms of use of that data – as well as safeguards in place to protect it. 
  • Consider adopting very transparent disclosures about your privacy practices and data use. You should use clear and easy-to-understand language.  
  • Make it easy for your customers to access and control their personal information. 
  • Consider updating your website’s functionality to honour global opt-out mechanisms, like the Global Privacy Control.  

California Poised to Enforce Global Privacy Control (GPC) & Opt-Out Mechanisms 

The Global Privacy Control (GPC) is a mechanism that reduces the amount of work internet users need to do to manage their personal information while browsing the internet. It does this by sending a ‘Do Not Sell” signal to every website the user visits. This automatically opts users out of the sale of their personal information collected online. 

This settlement makes it clear that California intends to require organisations to comply with the GPC. If you collect data from residents in California, you’ll need to ensure your website is set up to comply with universal opt-out signals, like the GPC.  

Roe v Wade Relevant Here Too 

Roe v Wade and its relationship to privacy also arose in this case. The complaint against Sephora referred to the prenatal and menopause support vitamins sold by the retailer. Since information collected about users browsing this content could be used to infer conclusions about a woman’s pregnancy (and potentially an abortion).  

The key takeaway here for Australian organisations is that sensitive information can be collected about customers from a wide range of data sources. Any practices your organisation has that involve the collection of sensitive information, directly or indirectly, should be carefully considered. If you ultimately decide to proceed with the collection, storage, and/or use of sensitive information, the risks of doing so must be managed.  

To learn more about the relationship between Roe v Wade and privacy rights in the US, attend a free webinar on 26 October 

Or speak with one of our privacy lawyers about your organisation’s data privacy practices. We’d love to help.  

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.