It’s Time to Makeup For Your Wrongs: California’s AG Declares First CCPA Enforcement Action Against Mega Retailer Sephora


By: Julia Bover

On August 24, 2022, California Attorney General Rob Bonta issued the first-ever enforcement action under the California Consumer Privacy Act (“CCPA”) against cosmetics retail chain Sephora. 

The CCPA was signed into law in 2018 and went into effect in 2020, and provides enhanced privacy rights for California’s consumers including: 

  • The right to know about personal information a business collects and how it is used;  
  • The right to delete personal information collected about them;  
  • The right to opt-out of the sale of personal information; and 
  • The right to non-discrimination for exercising these rights.  

The CCPA also requires that websites respect the preferences of consumers who choose to use Global Privacy Control (“GPC”). GPC is an all-in-one technical specification for opting out of the sale of any and all personal information on each and every website used by the indicated consumer. This privacy solution is provided through website browsers or easily installable browser extensions. 

The complaint against Sephora alleges that the company withheld information about the sale of their customers’ private information in its privacy notice. Through the use of its online website, Sephora collects personal information and shopping history/habits from its users. Sephora then provides this information to interested third parties, such as advertising companies and data analytics providers, in exchange for their services. The AG deemed this arrangement a “sale” under the CCPA, because personal information was disclosed by one party to another party in exchange for money or other valuable consideration. Additionally, the complaint alleges that Sephora failed to provide a “Do Not Sell My Personal Information” button or comply with additional opt-out requirements established by the CCPA. Lastly, the complaint alleges that Sephora also failed to recognize the preferences of consumers who had enabled GCP on their browsers. 

As a result of Sephora’s missteps, the company has agreed to a $1.2 million settlement and is required to adhere to various other injunctive terms. This includes a two-year requirement for Sephora to conduct annual assessments reporting on whether it has effectively processed consumer requests to opt out of the sale of their personal information. Sephora must also report the findings of said assessments to the California AG’s office. It is important to note that this could have been avoided had Sephora made the AG’s initial prescribed adjustments within the CCPA’s 30-day cure period. 

The California AG chose to proceed with an action against the retailer to convey that any business operating within California must adhere to the CCPA’s guidelines, no matter their size, the nature of their work, or their country of origin. The AG’s office also updated their case example list to shed light on additional instances where notices were issued. Most of these examples involve failures to properly provide opt-out selections, thereby indicating that the AG’s office intends to place an emphasis on this offense. 

If they have not done so already, businesses should review their online privacy practices to ensure that they have CCPA compliant controls in place on both their websites and their applications. If they do not, the California AG’s continues to issue notices of non-compliance and now, enforcement actions for fines and injunctive terms. Enforcement of the California Privacy Rights Act (CPRA) will begin in 2023. 

For further information and inquiries please contact Julia Bover at or another attorney in our Data Security, Privacy, & Technology practice group.