Can’t Makeup This Violation

Glossing over guidelines

California is home to one of the most rigid consumer privacy laws in the country. Originally passed in 2018 and later intensified in 2020, the law affords consumers the right to know the extent of information collected by companies online, the ability to have that private data deleted, and the capability to refuse the sale of their information to third party entities. The strength of this law led to the $1.2 million settlement of a civil suit, which pinned the cosmetics company, Sephora Inc., of violating consumer rights. The company failed to comply with the law and allegedly sold customer information without consent.

Even once the violation was discovered, the cosmetics empire did not exhibit the proper due diligence of amending the problem within 30 days, as required by the consumer protection law. Within the settlement, Sephora must not only shell out $1.2 million, but must also work to immediately correct the data distribution problem. It is the hope that this lawsuit will serve as a warning to additional companies that fail to comply with the law. The state Attorney General Rob Bonta has issued several warnings to over 100 companies that did not initially take the new law seriously.

Under the terms of the settlement, Sephora is not required to admit fault or wrongdoing, but must mend its website to offer more transparency in its disclosure and privacy policy, as well as steps for consumers to opt out of the sale of their personal information. According to the cosmetics company, these measures were already implemented in November 2021. Sephora aims to administer a consumer experience that is specifically targeted to meet cosmetic needs. Working with third party companies has allowed Sephora to build intricate consumer profiles that allow them to advertise key products. According to the Attorney General, Sephora’s website previously stated that it does not sell customer data.