While million-dollar fines are commonplace in Europe, the $1.2million settlement following the Sephora Enforcement Action is the first of its kind in the US. Learn why this settlement is significant and what is means for Australian organisations in this post:
The complaint against Sephora focused on the retailer’s practice of transferring data to third parties. California’s Attorney General (AG) alleged that this transfer amounted to a sale of data and, as a result, Sephora should have had a “Do Not Sell” link on its site.
It alleged the transfer was a sale because the third parties received the data in exchange for free or discounted analytic reporting to Sephora. The third parties were generally permitted to keep the personal information about an online shopper’s activities and use it as they wished.
You can read the Complaint here.
Under the settlement, Sephora must:
It is worth noting that the costs of the settlement will exceed the $1.2 million penalty. The costs of complying with the settlement provisions and reporting requirements will be expensive. Sephora will also need to manage the damage to its reputation for its poor privacy practices.
It is becoming increasingly important for organisations to know, understand, and map data flows.
To remain compliant and competitive, you should:
The Global Privacy Control (GPC) is a mechanism that reduces the amount of work internet users need to do to manage their personal information while browsing the internet. It does this by sending a ‘Do Not Sell” signal to every website the user visits. This automatically opts users out of the sale of their personal information collected online.
This settlement makes it clear that California intends to require organisations to comply with the GPC. If you collect data from residents in California, you’ll need to ensure your website is set up to comply with universal opt-out signals, like the GPC.
Roe v Wade and its relationship to privacy also arose in this case. The complaint against Sephora referred to the prenatal and menopause support vitamins sold by the retailer. Since information collected about users browsing this content could be used to infer conclusions about a woman’s pregnancy (and potentially an abortion).
The key takeaway here for Australian organisations is that sensitive information can be collected about customers from a wide range of data sources. Any practices your organisation has that involve the collection of sensitive information, directly or indirectly, should be carefully considered. If you ultimately decide to proceed with the collection, storage, and/or use of sensitive information, the risks of doing so must be managed.
To learn more about the relationship between Roe v Wade and privacy rights in the US, attend a free webinar on 26 October.
Or speak with one of our privacy lawyers about your organisation’s data privacy practices. We’d love to help.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
