Sephora USA, Inc., $1,200,000
First-ever public CCPA enforcement settlement. Sephora failed to disclose that it was selling personal information and did not honor Global Privacy Control opt-out signals.
Case identifiers
- Respondent
- Sephora USA, Inc.
- Agency
- California Attorney General
- Announced
- 2022-08-24
- Monetary relief
- $1,200,000
- Case number
- California AG Case No. RG22-141229
- Statutes cited
- California Consumer Privacy Act (CCPA)
Key facts
- 1
Sephora allowed third parties to install tracking software that captured customer data in exchange for free analytics and advertising services, a "sale" under CCPA.
- 2
Sephora’s privacy disclosures did not tell consumers their data was being sold.
- 3
Company also failed to honor Global Privacy Control (GPC) signals, a user-agent-level opt-out.
- 4
California AG Bonta chose Sephora as the flagship enforcement case to set precedent for the CCPA sale provision.
What the order requires
Injunctive terms imposed by the California Attorney General. These bind Sephora USA, Inc.'s data practices going forward.
- Required disclosure that the company sells personal information.
- Must provide mechanisms for consumers to opt out of sale including Global Privacy Control.
- Must conform contracts with service providers to CCPA requirements.
- Reporting requirements to the California AG for two years.
Primary sources
Read the original government documents. These are the authoritative records, everything on this page is derived from them.
- California Attorney General press releasehttps://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement
Exercise your rights now
Generate a deletion request for $5
The state-AG order binds Sephora USA, Inc.'s future practices, but doesn't automatically delete your existing data. State privacy law (CCPA, CPA, TDPSA, VCDPA) gives you that right. OfflistMe generates a compliant deletion email pre-addressed to Sephora USA, Inc.'s registered privacy contact.
Start for $5 →FAQ
What did the state-AG charge Sephora USA, Inc. with?+
First-ever public CCPA enforcement settlement. Sephora failed to disclose that it was selling personal information and did not honor Global Privacy Control opt-out signals. The California Attorney General cited California Consumer Privacy Act (CCPA).
How much did Sephora USA, Inc. pay?+
Sephora USA, Inc. paid $1,200,000 in monetary relief, announced on 2022-08-24. The settlement also imposed injunctive terms (see below).
Does the Sephora USA, Inc. settlement mean my data has been deleted?+
No, the order does not automatically delete your data. You retain full rights under state privacy law (CCPA, CPA, TDPSA, VCDPA, and others) to submit your own deletion request. OfflistMe can generate a compliant deletion email pre-addressed to the respondent’s privacy contact.
How can I read the original state-AG order?+
The California Attorney General press release is available at https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement. The case / matter number is California AG Case No. RG22-141229.