What Sephora's CCPA fine says about the changing nature of data sharing and use

Industry experts warn US and global companies of the dangers they face not being prepared for stronger consumer privacy regulations

Most brands globally still don’t have an appropriate handle on the wealth of data they have available and should be revisiting their data governance and compliance if they’re to avoid falling foul of the regulators.  

That’s the warning several industry experts are sending to marketers and organisations following the news of beauty retail giant, Sephora, becoming the first company to be hit with a US$1.2 million fine for California Consumer Privacy Act (CCPA) data violation.  

The CCPA fine was issued in September to Sephora for failing to inform customers it was selling their data to third parties while making claims on its website that it didn’t sell personal information. The penalty was also for failing to respect users’ Global Privacy Control as an opt-out, then neglecting to correct the infraction in the prescribed period.  

As Forrester analysts, Stephanie Liu, Melissa Bongarzone and Enza Iannopollo, commented following the news, the penalty makes it starkly clear a data ‘sale’ is any exchange of data for value, not explicitly monetary value. In the case of Sephora, the exchange of customer data was not a sales transaction.  

“This expands requirements for respecting consumers’ ‘do not sell my information’ requests and opens more companies to CCPA investigations – the attorney general already sent violation notices to other organisations acting similarly to Sephora,” the Forrester trio stated.  

However, they also noted the California Privacy Rights Act [CPRA] going into effect from next year will further change the game by giving consumers the right to opt out of the sale or sharing of their personal information.  

Commenting on the significance of the Sephora fine to CMO, Simon Data CEO and co-founder, Jason Davis, said he wouldn’t be surprised to see other brands out there being caught flat-footed.  

“I’m sure this is a wake-up call for brands since it’s the first documented violation and we’re just starting to understand what regulators are actually looking for. A big challenge with these privacy legislations like the CCPA is that they are often broad and leave room for interpretation,” he said.  

It’s a pertinent point for Australian organisations given the current Privacy Law review and potentially significant changes that could come from further restricting data use, elevating transparency and providing more consumer choice in this country.

Read more: Explainer: What marketers need to know about the proposed privacy law changes

Also looking at this from the broader and more global context of increasing consumer privacy laws and multi-state and location-based regulatory scrutiny, Davis believed a lot of organisations who believe they’re compliant could be blindsided by regulatory action.  

“It will only become more confusing as the CDPA and CPRA are introduced next year. We know that following Sephora’s violation there were already over 100 new notices sent to companies across industries and brand sizes,” he said.  

“CCPA, GDPR and all the other state-level legislation that have followed required new and additional data infrastructure and processes that these organisations simply didn’t have in place. Additionally, most brands, especially the larger ones, did not have and continue not to have, a handle on the wealth of data they have available to them. We’re likely going to see a lot of brands revisit some of the initial changes they made back in 2020 and ask themselves whether or not they’ve actually done enough to truly be compliant.”  

Cerby chief trust officer, Matt Chiodi, saw fines beginning to eat at the bottom line of non-compliant businesses, tarnishing their brand and reputation.   

“Without a strong data governance program, many businesses are likely to be in the same boat as Sephora. Making matters worse, many marketing platforms that store customer data often fall into the unmanageable application category,” he said. “This class of applications doesn’t support enterprise-grade authentication options like single sign-on. You get a toxic combination when you combine weak data governance with unmanageable applications.”  

Founder and CEO of privacy rights management company Cytrio, Vijay Basani, described the news as a shot across the bow from the California AG that they are serious about enforcing CCPA and holding companies responsible for not respecting consumer data privacy rights.  

“It is truly a wake-up call for all businesses to take CCPA /CPRA and data privacy seriously,” he said.

“While the Sephora fine was focused on the ‘Do Not Sell my Information’ right, we should expect CCPA enforcement to expend into other consumer rights, such as Right to Access, Right to Delete, Consent Management and so on.”  

In Cytrio’s State of CCPA and GDPR Compliance Research across more than 8200 companies in the US operating in several industries and required to comply with CCPA, 45 per cent were found to be violating the act by providing no mechanism for consumers to exercise their data privacy rights.  

“If Sephora did the right thing by implementing detailed data mapping and data flow of Personal information it collected, and enforced appropriate controls to comply with CCPA requirements, it could have avoided this embarrassing situation for much less cost – financially and reputationally,” Basani said.

How to mitigate the risk  

So what advice do these experts have for brands to mitigate data risks and ensure their governance and data collection frameworks stack up to scrutiny?  

“Brands need to start taking control of their first-party data,” Davis advises. “Centralised data governance models coupled with modern cloud data warehousing systems make this possible.  There’s also a growing ecosystem of martech platforms and CDPs [customer data platforms] natively designed to interface with these first-party data systems.”  

Data governance programs are extremely useful, Chiodi continued. “This is about putting together a comprehensive framework that tracks where data comes into the organisation, how it's being used, and when it’s disposed of,” he said.  

“Data should be treated like a bank account; an organisation needs to constantly track how it’s being used and protected. The latter is where unmanageable applications come into play. Businesses need to investigate solutions that integrate these platforms into enterprise identity platforms.”  

Basani also emphasised the care businesses must exhibit when sharing Personal Information (PI) data with third parties and service providers.  

“You must have well defined service provider agreements that explicitly prevent service providers from using or sharing PI data for any other purpose,” he advised. “You must put in place data mapping and understand data flows as it relates to PI data. Businesses must regularly conduct Privacy Impact Assessments [PIA] to understand data privacy risks and implement processes to mitigate privacy risk.  

“This is a continuous process and risk must by managed actively to keep it within your organisation risk tolerance.”  

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page     


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

More Brand Posts



CMO's top 10 martech stories for the week - 9 June

Read more

Great e-commerce article!

Vadim Frost

CMO’s State of CX Leadership 2022 report finds the CX striving to align to business outcomes

Read more

Are you searching something related to Lottery and Lottery App then Agnito Technologies can be a help for you Agnito comes out as a true ...


The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Thorough testing and quality assurance are required for a bug-free Lottery Platform. I'm looking forward to dependability.

Ella Hall

The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Great Sharing thoughts.It is really helps to define marketing strategies. After all good digital marketing plan leads to brand awareness...

Paul F

Driving digital marketing effectiveness

Read more

Blog Posts

Marketing prowess versus the enigma of the metaverse

Flash back to the classic film, Willy Wonka and the Chocolate Factory. Television-obsessed Mike insists on becoming the first person to be ‘sent by Wonkavision’, dematerialising on one end, pixel by pixel, and materialising in another space. His cinematic dreams are realised thanks to rash decisions as he is shrunken down to fit the digital universe, followed by a trip to the taffy puller to return to normal size.

Liz Miller

VP, Constellation Research

Why Excellent Leadership Begins with Vertical Growth

Why is it there is no shortage of leadership development materials, yet outstanding leadership is so rare? Despite having access to so many leadership principles, tools, systems and processes, why is it so hard to develop and improve as a leader?

Michael Bunting

Author, leadership expert

More than money talks in sports sponsorship

As a nation united by sport, brands are beginning to learn money alone won’t talk without aligned values and action. If recent events with major leagues and their players have shown us anything, it’s the next generation of athletes are standing by what they believe in – and they won’t let their values be superseded by money.

Simone Waugh

Managing Director, Publicis Queensland

Sign in