Aggressive enforcement may be on the horizon now that businesses have had more than two years to comply with California’s landmark privacy law.

By Michael Rubin, Joseph Hansen, Robert Brown, Max Mazzelli, and Wesley Tiu

On August 25, 2022, the California Office of the Attorney General (OAG) announced that it had settled a complaint against Sephora alleging violations of the California Consumer Privacy Act (CCPA). The public settlement was the first since the CCPA became enforceable more than two years ago.

The Complaint

In its complaint, the OAG alleged that Sephora failed to:

  • disclose to consumers that it was selling their personal information;
  • post a “Do Not Sell My Personal Information” link on its website and homepage;
  • process user requests to opt out of those sales via user-enabled global privacy controls (such as the so-called Global Privacy Control, or GPC, which is a browser plug-in that is intended to communicate a sale opt-out signal to every page a user visits); and
  • cure these violations within the 30-day cure period allowed by the CCPA.

According to the complaint, when Sephora sells products online, it also collects personal information about its customers, including the products viewed or purchased, geolocation data, cookies and other identifiers, and other electronic network activity information. Sephora then allegedly installed or allowed the installation of third-party trackers on its website and app. As described in its privacy policy, Sephora uses these trackers to provide third parties, namely advertising networks, business partners, and data analytics providers, with information about Sephora’s customers for the purpose of obtaining advertising and analytics. The OAG alleged that the transfers of personal information via these trackers were “sales” because Sephora received free or discounted analytics and advertising benefits from those companies in exchange for its customers’ personal information.

The OAG also claimed that Sephora did not process user requests to opt out of sales via the GPC. This allegation was based on a broader “enforcement sweep of large retailers to determine whether they continued to sell personal information when a consumer signaled an opt-out via the GPC,” according to the complaint. The OAG said it conducted the test and investigation using “commercially available browser extensions to monitor network traffic involving third-party advertising and analytics providers,” and analyzing “how that traffic changed when the GPC sent its ‘do not sell’ signal.” The OAG found that turning on the GPC did not affect the flow of customer data from Sephora via trackers to third parties.


As a result, on June 25, 2021, the OAG notified Sephora of the alleged violations and gave the company 30 days to cure them. It is not clear why Sephora did not cure the alleged violations. The nature of the allegations suggests the claimed non-compliance could have been addressed, and the list of CCPA Enforcement Case Examples that the OAG published shows instances in which businesses have successfully cured violations after receiving notices to cure (which is why the OAG has not instituted any other public CCPA enforcement actions to date).

Sephora, however, allegedly failed to cure, leading to the instant enforcement action and settlement filed more than a year later. Sephora agreed to pay $1.2 million and comply with the following injunctive terms:

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data
  • Provide mechanisms for consumers to opt out of the sale of personal information, including via the GPC
  • Conform its service provider agreements to the CCPA’s requirements
  • Provide reports to the OAG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC


  • The OAG’s emphasis on the GPC is noteworthy. The OAG created the GPC through the CCPA regulations, despite a strong argument that the CCPA did not authorize the OAG to do so and that the GPC is in fact contrary to the CCPA. This argument was raised repeatedly during the CCPA rulemaking process, but no one has yet challenged the GPC regulation in court. As this complaint reflects, having created the GPC concept through rulemaking, the OAG is now aggressively pursuing compliance with the GPC, with this settlement reinforcing the OAG’s view that the GPC is a valid and enforceable CCPA requirement. In addition, in conjunction with the disclosure of the settlement, the OAG announced that it sent notices to a number of other businesses alleging a failure to recognize global privacy controls.
  • The OAG also supplemented a list of CCPA Enforcement Case Examples that it published last year with additional illustrative examples of situations in which it has sent notices of alleged non-compliance. The updated examples address alleged non-compliance related to opt-out processes, failure to accept requests to know and delete, failure to allow consumers to submit opt-out requests or requests to know via authorized agents, and insufficient and non-compliant notices or privacy policies.
  • The OAG’s press release on the settlement strongly signaled that the OAG is moving towards a more aggressive enforcement posture now that businesses have had more than two years to comply with the CCPA and the mandatory notice-to-cure period is expiring on January 1, 2023:

I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.

Companies should take stock of the lessons learned from the Sephora settlement as they consider the additional steps they will need to take before the beginning of next year to comply with the CCPA amendments promulgated by the California Privacy Rights Act.