There's been plenty of bark with California Consumer Privacy Act enforcement since the law entered into force January 2020 and now the bite has arrived. California Attorney General Rob Bonta announced the first enforcement action under the CCPA, a $1.2 million settlement with multinational retailer Sephora over violations of the law's "Do Not Sell" provisions.

According to the attorney general's office, Sephora's violation specifically concerned the failures to inform individuals about the sale of their data and process sale opt outs through the Global Privacy Control. The retailer did not utilize the 30-day cure period allowed under the CCPA.

The settlement also includes commitments to operational improvements, including proper consumer opt-out mechanisms, and two years of required reports to the attorney general outlining Sephora's sale of personal information, details on service provider relationships and efforts to honor Global Privacy Control.

"I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable," Bonta said in his office's statement. "It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls."

Setting the bar

The landmark action makes good on the office's prior messaging since CCPA enforcement began in July 2020 following the six-month grace period provided under the law. Bonta marked the one-year anniversary of enforcement last July by issuing an enforcement progress report showing a majority of companies were complying with provisions or utilizing the cure provision, which sunsets in 2023.

"Attorney General Bonta’s public enforcement announcement is entirely consistent with what he has said his priorities were from the inception," Mayer Brown Partner Dominique Shelton Leipzig, CIPP/US, said. "It is also totally consistent with what (U.S.) Vice President (Kamala) Harris said when she was our California attorney general, and what (U.S. Department of Health and Human Services) Secretary (Xavier) Becerra said when he was our attorney general. I hope that companies will view this as a catalyst to become compliant with the CCPA and cookie requirements ASAP.”

With last year's enforcement update, Bonta said companies "want to know how" to comply with CCPA requirements and the attorney general wasn't attempting to serve "any 'gotchas'" with cure notices. The Sephora settlement stayed true to Bonta's words as case examples published by the attorney general's office last July — and updated alongside the enforcement action announcement — included a case related to adherence to sale opt-out provisions and GPC standards.

"Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale," Bonta said in the wake of the first action.

Angle and significance

Much is unknown regarding why the Sephora complaint was the first to be acted upon by the attorney general's office. It may have been an instance of the case being first in line, but Future of Privacy Forum Senior Counsel Stacey Gray, CIPP/US, opined that the case was selected as "a strategic choice."

"It's very important for the (attorney general) to get this on the books, because it bolsters CCPA's key (only) redeeming feature: the universal opt-out," Gray said, adding the "most significant outcome" from the settlement is the two-year GPC reporting requirement.

GPC itself is a hotly-debated topic within California law due in large to an update to the attorney general's CCPA FAQ page in 2021 that changed language for how companies treat GPC. The updated language on GPC in the document said the opt-out mechanism "must be honored by covered businesses as a valid consumer request to stop the sale of personal information." Companies have been left to decide whether to follow the FAQ language or the law, which many argue makes GPC voluntary rather than required.

High Tech Law Institute co-Director and Privacy Law Certificate Faculty Supervisor Eric Goldman told The Privacy Advisor the enforcement action "shows the morass" of GPC and how the attorney general's office and the California Department of Justice as a whole have "fetishized" the mechanism as a core component to consumer protection despite the fact "most consumers and businesses are not even aware of it."

"I imagine the California DOJ could easily find thousands of other CCPA-regulated businesses that do not honor the GPC signal, so the GPC remains a target-rich topic for future enforcements if the California DOJ wants to spend its prosecutorial resources that way," Goldman said. "Would a GPC crackdown make any consumers' lives better? I'd love to see the CADOJ's empirical support for that proposition."

The action against Sephora also shines a light on the attorney general's interpretation of the CCPA's "sale" definition, another much-discussed topic in privacy circles. Consumer Reports Director of Technology Policy Justin Brookman laid it out plainly, saying, "if you get a commercial benefit from sharing data, that's a sale under CCPA" and such activity "triggers ... various obligations." Such a broad interpretation continues to grab the ire of Goldman and others.

"It counterintuitively reaches relationships where the data controller is retaining vendors to provide services to it," Goldman said "No layperson would ever define that relationship as a 'sale.'"