California, Sephora Resolve Consumer Data Breach for $1.2 Million

California Attorney General Rob Bonta said on Wednesday that his office has reached a $1.2 million settlement with cosmetics retailer Sephora for alleged violations of California’s consumer data law.

According to Bonta, Sephora broke the California Consumer Privacy Act by not informing customers that their data was being sold and by not honoring their requests to opt-out. He revealed that third parties were utilizing Sephora’s data to monitor things like online shoppers’ location and the products they viewed in their virtual shopping carts.

Founded in France and now operating out of San Francisco, Sephora has said that it “respects consumers’ privacy and seeks to be honest about how their personal information is utilized to better their Sephora experience.”

READ MORE:

The statement continued, “Sephora was not the target or victim of a data breach, and this agreement with the California Office of the Attorney General (‘OAG’) does not imply an admission of liability or wrongdoing by Sephora.” Sephora’s policies and procedures already meet the requirements of the CCPA, and the company has always worked closely with the OAG. When it comes to consumer privacy, we value the OAG’s insight and advice and are aware of the significance of meeting ever-evolving regulatory standards.

The settlement announced today should serve as a warning to companies that are still violating California’s consumer privacy law, and I hope it does. Bonta warned, “My office is monitoring, and we will hold you accountable.”

The deal calls for Sephora to disclose its data-selling practices to customers, provide opt-out mechanisms, and report to the state attorney general.

When compared to other companies, he claimed on a call with reporters, Sephora’s infractions were “egregious,” and the company first refused to fix the problems.