Meet the author

Attorney Meredith Lowry

Meredith K. Lowry


Rogers, AR


This article is authored by WLJ Tech Law attorneys Meredith Lowry and MaryScott Polk.

The new California Consumer Privacy Act (CCPA) has its first enforcement settlement and Sephora will pay $1.2 million based on allegations that Sephora failed to tell customers it was selling personal information that Sephora had collected from its customers.

The CCPA gives individuals rights regarding their personal information collected by businesses, including the ability to exercise control over the use and sale of their personal information. As a consumer in California, you have the right to ask a business what personal information they have about you and how they use it, have your personal information deleted, request that a business stop selling your personal information, and be notified of the categories of personal information collected and the purposes for it. These rights apply to all for-profit businesses doing business in California that either have a gross revenue of over $25 million, make 50% of their annual revenue from selling California residents’ personal information, or buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices.  Sephora ran afoul of the last of these, but this enforcement all turned on the meaning of “sell.”

A company sells its consumers’ personal information under the CCPA when they provide the personal information to a third party in exchange for something of value, typically money.  The California Attorney General took the position that Sephora’s exchange of personal information for free or discounted analytics and advertising services was a “sale”. The arrangement that Sephora had is typically considered a service provider agreement, but in the absence of a service provider agreement that controls the use of the data by the service provider, the Attorney General found that Sephora had violated the obligations to California residents to notify them of the sale of data.

In addition to the $1.2 million in penalties, Sephora is required to clarify its online disclosures and privacy policy, provide methods to allow consumers to opt out of the sale of their information, including via global privacy controls, amend its service provider agreements to satisfy the requirements of the CCPA, and produce reports on the sale of personal information to the Attorney General.

While California is the first state to enact strict consumer privacy rights, other states including Colorado, Connecticut, Utah, and Virginia have followed enacting consumer privacy laws of their own. Other states are following suit. While not all of our clients are reaching the threshold for the CCPA, it is important to look ahead and initiate steps to comply with data privacy regulations in preparation for the privacy protections that will inevitably apply to them in the future.