The recent first-time enforcement of the California Consumer Privacy Act (CCPA) laid the groundwork for national regulation of data privacy and how businesses can navigate the collection and use of customer data, including its sale to third parties.
Beauty and personal care retailer Sephora has agreed to pay a $1.2 million fine in an agreement with California in response to a complaint presented by Rob Bonta, the state attorney general. The accusations claimed that Sephora failed to inform consumers that his personal information was being sold and allegedly stated on his website that he did not sell personal information. The complaint further alleged that Sephora did not provide an easy-to-find link on the web or in its app that customers could use to opt out of the sale of their personal information.
Zweifel-Keegan says the introduction of more law enforcement agencies will likely lead to more cases, including in other states like Colorado, which is finalizing its data privacy regulations.
The California Attorney General’s focus on “Don’t Sell” and use of ad providers also wasn’t what the community expected regulators to act on first, says DataGrail CEO Daniel Barber. “I don’t think Sephora’s response was what the community really expected,” he says. “This kind of shakes up through the industry.”
The AG’s moves may have put privacy professionals on the back foot, says Barber, and raised questions about ad technology that relies on customer information, which companies might view as collection and processing rather than being sold. in doubt whether they are selling information or not,” she says.
What constitutes a sale?
There are different perspectives, says Barber, on what constitutes a sale. For example, what happens if information is exchanged between companies without the money changing hands? “Many in the community would have argued that it was not the ‘sale’ of information,” she says. “It is now very clear that the AG intends to take a position on this particular definition, an ad technology definition, which is included as part of the ‘Do Not Sell’ concept.” Other state-level regulations may have constructions similar to CCPA, Barber says. “The impact will continue for the next several months.”
Data collection and privacy is an increasingly complex issue that has come to include concerns about how consumers are targeted by advertisements, judged by financial lenders, and the inferences that can be made about women’s health as they age. numerous states enact laws against abortion.
Some of the language in the complaint and California’s settlement with Sephora helps frame the perspectives regulators might take. For example, the California lawsuit cited tracking software on Sephora’s website and app that allows third parties to monitor consumers, provides businesses with information about the types of computers consumers use, personal location and types of products added to your online shopping carts. Third parties could then submit analytics based on that information to Sephora to better target digital ads.
More regulatory legislation is in the works. For example, California lawmakers are working on a privacy law to prohibit the creation and use of so-called addictive features on social networks. California is also working on Privacy Protections for Minors Who Go Online. “They’re really built around the safety of kids and teens,” says Zweifel-Keegan. “They have privacy implications in that they will affect how companies collect and process personal information.”
California regulators continued to describe such practices as “third party surveillance,” which is comparable to the Federal Trade Commission recently calling “business surveillance” in reference to the collection, analysis, and commercial profits made from data collected from the public.
Zweifel-Keegan says that organizations should have contracts between data controllers and data processors or between companies and their service providers to specify what the purpose behind the processing of customers’ personal information is and what the purposes should be. boundaries. “That’s something that came up in the Sephora case because it appears there were some third-party entities that may collect personal information through publisher websites,” she says.
There’s also the issue of presenting clear options for customers to opt out of having their information collected and sold. The privacy community, says Zweifel-Keegan, is thinking about what it means to offer usable choice mechanisms for consumers with debates about how they are presented “There’s a lot of talk about ‘choice fatigue’: having too many pop-ups, too many questions,” she says. “It leads consumers to not necessarily feel like they’re in the driver’s seat.”
Zweifel-Keegan says the Sephora-California deal puts into perspective that data collection, privacy and related analytics will likely face increased scrutiny across the market. “It’s not just big tech that needs to think about privacy,” she says. “That’s a clear message that California is sending by coming to a company like Sephora.”
What to read next:
What the FTC’s Data Collection and Security Scrutiny May Mean
Can Data Collection Persist Amid Post-Roe Privacy Questions?
roe v. Wade and the new murky swamp of data privacy