Global Beauty Brand Settles Violations of CCPA over Shared Consumer Data
Last month, the California Attorney General announced a $1.2 million settlement resolving allegations that an international beauty retailer violated the California Consumer Privacy Act (CCPA) when the Company failed to disclose it was selling consumer information, misleading consumers to believe the Company did not sell their information.
The initial complaint stemmed from a June 2021 enforcement effort by the AG’s Office to determine whether any large online retailers failed to comply with the CCPA by providing consumers the opportunity to opt-out of third-party analytics and sharing of their information through user-enabled global privacy controls (GPC).
Through its initial investigation, the California Attorney General’s Office determined that the Company allowed third-party companies to install tracking software on its website, enabling the company to monitor consumer activity beyond just what consumers purchased. Further, the Company’s website did not register GPC prompts that would have enabled consumers to opt out of sharing their information, and failed to disclose their sale of consumer information required by the CCPA.
Following this initial discovery, the Company was informed of the Attorney General’s findings and was given 30 days to cure, but failed to take any of the steps advised by the Attorney General.
Under the Proposed Final Settlement and Permanent Injunction, the retailer must update its privacy policy to affirmatively reflect the company’s practice of selling consumer data, create a means for consumers to opt out of having their personal information sold, update third-party agreements to conform to CCPA requirements, conduct reviews of its policies for the next two years and issue a report of its findings, and update the Attorney General about the status of its relationship with service providers and any updates regarding its sale of personal information. Lastly, the retailer is also required to pay a $1.2 million penalty to be deposited into the State’s Consumer Privacy Fund.