In his first enforcement action under the California Consumer Privacy Act (“CCPA”), California Attorney General Rob Bonta announced a stipulated final judgment with Sephora USA, Inc., a multinational personal care and beauty company, that requires Sephora to pay $1.2 million to the state’s Consumer Privacy Fund. The Attorney General alleged that “Sephora failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the 30-day period currently allowed by the CCPA.” Sephora denies the Attorney General’s allegations.

The stipulated Final Judgment and Permanent Injunction requires Sephora to pay $1.2 million to the state’s Consumer Privacy Fund. In addition to paying $1.2 million, Sephora also is required to “clearly” provide notice to consumers that it sells their personal information, and to inform consumers that they have a right to opt out of all sales. For the next two years, Sephora also must implement an assessment and monitoring program, submit annual reports to the Attorney General detailing the names of the entities with which it shares personal information, and ensure that its service provider relationships are compliant with the requirements of CCPA. The Final Judgment further requires Sephora to honor opt-out requests submitted by user enabled, automated services like Global Privacy Control, which automatically sends opt-out notices to websites through a browser extension that consumers may install.

The CCPA requires the Attorney General to provide notice to companies in violation of CCPA and gives them 30 days to cure any alleged violations. This notice and opportunity to cure provision expires on January 1, 2023 with the newly effective California Privacy Rights Act (“CPRA”), which means that next year it is open season on businesses that fail to comply with the law. Attorney General Bonta has already conducted enforcement sweeps of businesses operating loyalty programs, an online advertising company that provided confusing and inadequate privacy disclosures, and a data broker whose “do not sell” link was only partially operational and contained an opt-out process that required multiple steps.

The Attorney General made clear that he intends to pursue companies that fail to comply with the CCPA. In the press release announcing the Final Judgment against Sephora, Bonta stated, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. . . . There are no more excuses.”