Sephora Third-Party Cookies Case Serves As A Wakeup Call Before 2023

The CCPA and CPRA

After setting a precedent for the government’s role in protecting users’ data back in June 2018, the state of California has decided to move forward with an update to its Consumer Privacy Act (CCPA) that will see it reworked and renamed under a new title – CPRA, or California Privacy Rights Act.
The new change is aimed at enhancing the nearly five-year-old piece of legislation to better meet the needs of today’s technology and risks, and was officially approved in 2020.

The Cure Period?

Those familiar with the CCPA will know that under the current law, businesses are given a 30 day window to fix any violations before they can be fined. This ‘cure period’, as it has come to be known, was originally baked into the CCPA’s legislation to allow businesses time to adjust to the new law and get their houses in order.

Now, with the CPRA on the horizon, that cure period is set to be scrapped, with any grace periods being at the whim of the California AG and newly created Consumer Privacy Protection Agency. This agency will have the power to bring actions against businesses for statutory damages, and with no default cure period in place, that could mean some hefty fines for businesses that don’t take the necessary steps to comply with the law.

Existing Circumstances Spell Trouble for Future Compliance: Sephora’s Recent Third-party Cookie Case

While the changes the CPRA is set to bring to the CCPA are important, the question of businesses’ ability to comply with them remains up in the air. After all, there are several prominent examples you could point to of companies failing to meet current guidelines – adhering to newer and more stringent ones? That might be a challenge.

The latest reminder of this issue has come with Sephora’s recent CCPA settlement. The beauty company just ended a months-long endeavor of tussling with the Attorney General’s office over a claim it had violated several provisions of the law, including the requirements to disclose the sale of personal information, the presence of a “Do Not Sell My Personal Information” button, and honoring Global Privacy Control (GPC) signals.

Under current law, companies are given a 30 day window to fix any violations before they can be fined. Sephora was afforded this luxury, however failed to take adequate steps to remediate the situation. On August 24th of this year, the California AG’s office announced a $1.2 million action against the company – one that could have been avoided had they taken action sooner.

What makes Sephora’s settlement so notable isn’t just the fact that it’s massive, or that it’s the first public fine for a violation of the CCPA. No, what’s most important here is that it serves as a reminder of businesses’ current ability – or lack thereof – to comply with consumer privacy regulations. Even after 30 days of grace, the beauty giant couldn’t get its compliance together, and was ultimately forced to pay out a hefty fine as a result.

Sephora Isn’t Alone

Sephora isn’t the only major company to get into hot water over a lack of compliance with data privacy regulations.

Snap Inc. recently settled a class action lawsuit, agreeing to pay litigants $35 million for collecting, possessing, and disclosing users’ biometric data when they activated the lens and filter features on the Snapchat app.

The UK’s Information Commissioner’s Office (ICO) has also issued TikTok a notice of intent, signaling that it plans on potentially levying a £27 million fine against the super platform for illegally processing the data of children under the age of 13 without parental consent.

What this points to is a worrying trend: even when given the time to get their compliance houses in order, some of the world’s largest companies are still failing to meet the guidelines set out by data privacy regulations.
Now, imagine if the CPRA’s stricter guidelines were already in effect. If Sephora – a company with seemingly endless resources – couldn’t get it together to meet the CCPA’s standards, how many other businesses will struggle to meet the CPRA’s?

The answer, unfortunately, is probably quite a few. And with no cure period in place, the potential fines they could face as a result could be crippling.

What Can Businesses Do?

To say that the future of CCPA compliance is uncertain would be an understatement. But that doesn’t mean businesses should throw their hands up in defeat and do nothing.

There are still steps companies can and should take to get ahead of the curve and prepare for the CPRA’s arrival. Here are a few suggestions:

• Review the changes the CPRA is set to bring and determine which areas of your business will be most affected.
• Take a close look at your current compliance efforts and assess where you might need to make changes.
• Begin training employees on the new law and what it will mean for the way you do business.
• Update your privacy policies and notices to reflect the new requirements.
• Put systems in place to help you track and manage consumer requests.

Doing all of this won’t guarantee that you’ll be compliant when the CPRA goes into effect. But it will put you in a much better position to meet the law’s requirements and avoid any potential fines.