CURRENT MONTH (August 2022)
CCPA Settlement: Retailer Accused of Violation of Privacy Laws Agrees to Pay $1.2 Million Penalty to California Attorney General
By Alan S. Wernick, Esq., Aronberg Goldgehn
In the California Attorney General’s (“CAG”) ongoing enforcement of the California Consumer Privacy Act of 2018 (“CCPA”), retailer Sephora USA, Inc. (“Sephora”), entered into a recent settlement agreement to resolve allegations that they violated the CCPA. Sephora, without making any admissions concerning allegations against it, agreed to, among other things, the following:
- Pay CAG $1.2 million dollars in penalties.
- Clarify Sephora’s online disclosures and privacy policies to include an affirmative representation that it sells consumers’ data, and provide processes for consumers to opt out of the sale of personal information, including via the Global Privacy Control.
- Provide reports to the CAG relating to Sephora’s sale of personal information and its efforts to honor Global Privacy Control. These reports will include the identities of all entities to which Sephora makes available the consumer’s personal information, and whether such entity is considered, under CCPA, to be a service provider.
In his statement about this matter, the CAG noted, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.” Even if your business does not have a physical location in California, if your business handles California residents’ personal information, you may nonetheless be liable under the CCPA.
© 2022 Alan S. Wernick and Aronberg Goldgehn.
FTC Trade Regulation Rule on Commercial Surveillance and Data Security
By Rich Green, Gordon Rees Scully Mansukhani
The Federal Trade Commission’s August 22 Advance Notice of Proposed Rulemaking for privacy and data security (the “Data Protection ANPR”) is about getting answers. Specifically, the FTC seeks answers to ninety-five questions regarding how rulemaking might be used for, or affect, everything from e-commerce privacy to data security, to sector-specific consumer tracking and surveillance. There’s more to it than that, however. With the American Data Privacy Protection Act stalled, the Data Protection ANPR is as much about pushing Congress as it is FTC rulemaking—rulemaking FTC commissioner Noah Joshua Phillips noted in a statement that he feels it “go[es] beyond the Commission’s remit and outside its experience.” Time will tell. The public has until October 21 to provide comment.