Sephora Settles in GPC Enforcement Sweep

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

CA Attorney General Settles with Sephora as Part of GPC Enforcement Sweep

California Attorney General Bonta announced reaching a $1.2 million settlement with Sephora based on allegations the retailer violated the California Consumer Privacy Act (CCPA).

According to the announcement, Sephora failed to disclose its sale of personal information collected from its website, failed to respect user opt outs submitted via the Global Privacy Control (GPC) mechanism, and failed to cure its violations within a 30-day cure period.

TAKEAWAY

This settlement represents the first issuance of fines by the California Attorney General under the CCPA.

All other enforcement has been in the form of noncompliance letters sent to companies notifying of CCPA violations and giving 30 days to cure the violations. 

Illustrative examples of such enforcement are available on the Office of the Attorney General’s website, including a new batch of examples published the same day as announcement of the Sephora settlement.

The top item on the list discloses an “enforcement sweep” of multiple online retailers who were making personal information available to third parties for advertising and analytics purposes without processing opt-outs submitted via GPC.

The companies in the illustrative case example cured the violation by communicating a “restricted use” signal and/or blocking transfer of personal information to third parties. 

Stakeholders Submit Conflicting Comments to CPPA Regulations

The 45-day comment period to respond to the California Privacy Protection Agency’s draft regulations under the California Consumer Privacy Act has ended.

Among other submissions, comments from a coalition of consumer advocacy groups, including the Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD), encouraged among other changes, a prohibition on the collection or use of sensitive data with limited exceptions, and a prohibition on using personal information for purposes incompatible with the purposes for which the information was collected, even with consent.

Conversely, the Network Advertising Institute comments advocate for the ability to use sensitive information with enhanced, specific notice and the use of personal information for incompatible purposes with proper disclosure and the right to object.

A letter from additional ad groups reportedly expressed similar concerns with the opt-in requirement for incompatible purposes set forth in the draft regulations. 

NEXT STEPS

The CPPA will either substantively adopt the regulations or make changes in response to the comments. Any changes may trigger either an additional 45-day or 15-day comment period, depending on whether the changes are “major” or “sufficiently related”.   

Consumer Coalition Urges Pelosi to Move Forward with the ADPPA

A group of 50 consumer advocacy, civil rights and public interest groups sent a letter to Speaker Pelosi urging her to move the American Digital Privacy and Protection Act (ADPPA) to a House vote.

The letter stresses the importance of the bill’s civil rights and privacy protections and expresses that “a failure to move the bill in this Congress will forestall progress on this issue for years to come”.

BACKGROUND

 The ADPPA was reported out of the House Energy and Commerce Committee in July and has not seen further action, largely due to the House being on break until mid September.

In the meantime, the bill has elicited strong opinions, including from the California Privacy Protection Agency, among other U.S. state authorities and some advocacy groups, that oppose the bill due to its broad preemption language.

Certain advertising groups, such as Interactive Advertising Bureau, oppose the bill due to its heavy restrictions on digital advertising and resulting impact on the online environment.

FTC Publishes 2022-2026 Strategic Plan

The Federal Trade Commission’s updated strategic plan maintains the same goals from its previous plan, namely

(1) to protect the public from unfair or deceptive acts or practices in the marketplace;

(2) to protect the public from unfair method of competition in the marketplace and promote fair competition; and

(3) to advance the FTC’s effectiveness and performance.

However, the FTC says that the updated plan makes numerous improvements, such as new objectives that ensure the work of the agency benefits all Americans, including those who live in historically underserved communities.

These objectives include performance metrics based on the percentage of populations impact by the FTC’s actions who belong to historically underserved communities and the percent of actions taken to stop practices targeting, disproportionately impacting, or involving schemes or practices that research has shown to have disproportionately impacted historically underserved communities, or involving conduct in languages other than English. 

IN CONTEXT

Signs of these new objectives to ensure benefits to historically underserved communities have surfaced to some extent in recent documentation and statements from the FTC.

Most recently, the FTC’s Advance Notice of Proposed Rulemaking invites public comment in response to several questions, including whether, in regulating “commercial surveillance”, the Commission should focus on harms based on protected classes and whether the Commission should consider harms to other underserved groups such as unhoused people or residents of rural communities.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.