California AG Announces First Enforcement Actions from the California Consumer Privacy Act (CCPA)

Following an investigation into the privacy practices of Sephora surrounding its collection, use, and sale of consumers’ online activities and other personal information, the California Attorney General (AG) and Sephora agreed to a settlement.

On August 24, 2022, the California AG announced its first enforcement actions arising from the California Consumer Privacy Act – marking a new dawn for CCPA compliance.

In the settlement, Sephora agreed to become compliant with the CCPA in the following ways:  

    • Provide notice to consumers that clearly states that it sells their personal information and they have the right to opt-out of all sales
    • To process consumer requests to opt-out signaled via the Global Privacy Control (GPC)
    • To comply with the provisions of the California Privacy Rights Act (CPRA) related to providing notice of sale of consumers’ personal information and of their rights to opt-out once the CPRA becomes operative on January 1, 2023
    • To establish a compliance program that enables businesses to adhere to assessment and reporting requirements to the AG for two years within 180 days
    • To pay a $1.2 million settlement fine
    • To conduct an annual regular review of its website and mobile applications to determine the entities with which it makes available personal information
    • To enter into contracts that meet the requirements laid in CCPA for service providers (§1798.140(v)). Sephora must document this and include it in the annual report

The settlement terms add a significant administrative obligation that Sephora must meet.

These sanctions carry more than a financial cost in terms of fines; they also add to the executive and overall compliance costs.

There’s a fresh spotlight on the immediate need for CCPA compliance with this settlement for violating State laws. Simply put, non-compliance will only result in a long and painful road for businesses.

This calls for a scrutinizing look at internal processes – adding to time, cost, and other resources for course correction. In this competitive age, brands shouldn’t risk diluting trust with today’s informed and privacy-oriented consumers. 

The AdTech State of Affairs – A Very Narrow Scope

Since its inception, the CCPA has granted California consumers the right to opt-out of a sale of their personal information.

The CCPA defined sale as:
“Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

One of the major challenges from this definition has been how to interpret or other valuable consideration.adtech

In the Sephora case, the AG and Sephora agreed to what apparently appears to be a new term: Sale Using Online Tracking Technology.

In interpreting the definition of sale, keep in mind that Sephora’s decision is very narrow and limited with respect to this new definition pertaining to just sales “Using Online Tracking Technology.”

Earlier businesses had not been provided insight into what a sale would look like in the context of a company using online tracking technology.

Pre-Sephora, businesses had to rely on the statutory definition of sale to interpret whether their activities fell within scope.

Accordingly, the Final Judgment’s construing valuable consideration to include (but not limited to) receiving “personal information or other information such as analytics; or free or discounted services” only pertains to those sales involving the use of online tracking technology.

Dissecting the Non-Compliance Issues: 13 Enforcement Examples, and Global Privacy Controls (GPC)

13 Enforcement ExamplesCCPA enforcement examples

On the same day it released details about the Sephora settlement, the AG bolstered its case that CCPA compliance meant more than evaluating a Sale and processing preference signals through GPCs.

In its revised enforcement examples, the AG listed 13 new enforcement examples, making it a whopping 40 total examples that have been provided.

While the details of the investigations are not made public, the examples provide insight into what is on the AG’s radar.  

To start, the AG’s enforcement focus did not zero-in on any particular industry: consumer retail, hospitality, home improvement, technology, healthcare, medical devices, and the fitness industry.

Some of the Issues Identified are Not New

A common theme for the AG continues to be finding non-compliant privacy policies, notice of financial incentive, and notice of collection.

The importance of complying with the CCPA’s privacy notice requirements cannot be overstated. The latest examples, include new issues not previously identified.

For example, failure to honor consumer opt-outs of sales, no request methods; erroneous treatment of requests to know;  required consumers to waive/limit CCPA rights; limited number of requests to know; and sale of personal information.

The addition of new issues from the 27 previous examples should be a sign that the AG is willing to leave no compliance stone left-unturned.

Including challenging a covered business’s self-assessment of whether they sell but also testing those companies’ willingness to recognize signals sent via GPCs.

The Global Privacy Control (GPC)

Under the CCCPA GPC TweetCPA, a business must configure its website to detect or process user-enabled global privacy control signals, such as using the GPC.

The Global Privacy Controls (GPC) enable consumers to opt-out of all online sales in one fell swoop by broadcasting a ‘do not sell’ signal across every website they visit. These controls eliminate the need for consumers to click on an opt-out link each time manually.

Organizations must treat such GPC opt-out requests the same as requests made by users who have clicked the Do Not Sell My Personal Information link.

The AG’s complaint alleged Sephora was selling its consumers’ personal information. In Sephora’s case, consumers who made requests via the GPC did not have those requests processed.

The enforcement action made it clear that brands should make sure consumers are able to easily opt-out of any selling of their personal information.

Introduced in October 2020, GPC aimed to help consumers universally communicate their privacy preferences with ease on supported browsers. The initiative also received support from California AG back in January 2021.  

By July 2021, further backing support for GPC and in a fresh round of CCPA enforcements, the California AG office of Rob Bonta issued letters to several organizations for failing to comply with GPC requirements under CCPA.

Harmonizing Opt-Out Preference Signal Requirements Between the States:  A Trend to Watch

If a website detects a GPC that signals a preference not to sell/ share PI, the website must block the PI from being sold or shared in a way that is consistent with the user’s GPC signal (ignore the signal’s “request to” to opt-out).

Colorado and Connecticut have different requirements for whether businesses must recognize opt-out preference signals.

In Colorado’s Privacy Act (CPA), the requirements around recognizing an opt-out preference signal are less onerous on controllers (or covered businesses in CA).

While Connecticut’s privacy law is more aligned with the CCPA, requiring controllers to recognize opt-out preference signals sent via a mechanism or platform

In requiring businesses to recognize preference signals, the AG has pushed technology to catch-up with the law, encouraging privacy-driven innovation.

The evolution of user enabled opt-outs

DAA & NAI initiatives 

Allowed participating consumers to opt-out of targeted advertising by the companies in the NAI’s and DAA’s initiative.  The participation was voluntary, so of course the participation was limited.   

Consumers could opt-out in general, or consumers could opt-out individually.  

This arrangement didn’t stop the collecting of personal information or identifying the consumer. It prevented targeted advertising and wasn’t really a privacy solution because PI could still be collected. 

Do Not Track (DNT)

There was a mechanism used to send a consumer preference signal. Companies would adhere to the signal if they received it.

So, many companies invested, and some browsers implemented the header. There was even a user-interface where the DNT signal could be easily turned on or turned off globally.

The downfall, however, was that there was no legislation backing the DNT, which created a false sense of consumer protection.

Present Enforcement – Consent Flows

Today, consumer preferences are handled through Notice and Consent via cookie banners and multi-step consent flows.

In some cases, cookie banners can be managed by going to opt-out cookie sites, which will require a browser to send signals to all of the companies that participate in the site, including those companies with websites we have never even visited.

The downfall is that people become very confused and frustrated, creating a bad user-experience. This is especially impossible to avoid with mobile browsing. In general, this is just an inconsistent enforcement mechanism.  

The Future – GPCs

With legislation backing (CCPA, CPA, CTDPA) and an easy user-experience, global privacy controls look to be the future of opt-outs.

Consumers can either use browsers that have already implemented the GPC (Firefox, Brave, DuckDuckGo) or download a browser extension to send the opt-out preference signal.

Beyond the Fine – Immediate Red Flags for Organizations

For comprehensive CCPA compliance, organizations must perform multiple controls besides honoring GPC and Do Not Track signals.

Besides Sephora in retail, businesses in fitness, technology, adtech, and fintech, among other industries have also been served notices for non-compliant opt-outs.

Apart from opt-out issues within retail, organizations across industries have been served notices for numerous CCPA violations.

Immediate Issues:

    • Non-compliant Privacy Policy Notices
    • No Request Methods
    • Limited Number of Requests to Know
    • Missing Do Not Sell/Sale of Personal Information Links
    • Non-Compliant Verification Procedures
    • Non-compliant Service Provider Contracts
    • Untimely Responses to CCPA Requests

The list goes on.

And, organizations have already taken or are undertaking measures to achieve CCPA compliance quickly.

Industry Enforcement Issue  Corrective Action
Technology Non-compliant privacy policy and no request methods for CCPA compliance. Privacy policy updated 

Request Methods implemented 

Compliant opt-out link

Healthcare Requests to know were incorrectly matched with requests to delete Request response process improved 

Staff training imparted 

Social media Delayed responses to CCPA requests to know and delete personal information.  Outstanding requests addressed

Systems updated to avoid delays 

The office of the AG does not generally release this information to the public about its investigations. With notices of noncompliance, firms have already started executing remedial measures.

The message is clear – businesses must fix curable violations within 30 days of notification to avoid consequences!

Immediate Priorities: Your CCPA Compliance Checklist

Journey to CCPA Compliance

What are some primary steps organizations must take to ensure they remain CCPA complaint?

    • Reevaluate whether you are “selling” personal information.
      • If yes, reassess third-party contracts, privacy notices and opt-out compliance.
    • Assess whether policies are updated to disclose the sale of consumers’ Personal Information (PI).
    • Is sufficient Notice at the Point of PI Collection provided?
    • Review opt-out capabilities.
    • Provide Notice of Financial Incentive (if applicable).
    • Review processes of responding to requests and security considerations.
    • Ensure disclosures to “service providers” meet CCPA’s contractual obligations.
    • Review processes and verifications for accepting requests.
    • Review Access and Individual Rights Management.

Consumer Trust Trumps Non-Compliance

As consumer-obsessed and privacy-driven organizations, brands are better off safeguarding themselves for CCPA compliance rather than taking the ’30-day rectification’ route. CCPA compliance consumer trust

While brands are left understanding and researching the rules, authorities have started slapping fines. The time for research is behind; brands need to comply. And fast!

A privacy-driven approach will only help fortify consumer trust.

CPRA, the more stringent version of CCPA, is also expected to tighten the waters for businesses. Non-compliance and imprecise privacy programs will not suffice.

Missing a Compliance Action Plan for your Organization?

The office of the California Attorney General’s enforcement examples serves as both a warning and caution to businesses. More enforcement and actions are bound to follow suit, but organizations cannot afford a wait-and-watch approach.

While deciphering the technicalities and nitty-gritty of achieving compliance may seem time-consuming and daunting, it doesn’t have to be. TrustArc has solutions to accelerate your path to CCPA compliance

cookie consent preference managerReceive a CCPA Compliance Validation passing a thorough evaluation of program-level measures and evidences to ensure that you and third-party vendors process personal information in compliance with the CCPA.

Evaluate tracking technologies on your website with the most mature Website Monitoring Manager in the market. Secure digital experiences with improved compliance risk identification and cookie analysis.


Simplify GPC recognition and honor GPC opt-outs with our consent solutions.


Privacy-driven frameworks form the foundation for organizations that prioritize consumer preferences. With some insight into how brands should think about compliance, this is the time to act.

Proactive businesses will be leading the pack on the road to CCPA compliance.