Sephora fined for violating CCPA — what it means for data protection

Few entities strike fear into the hearts of organizations like regulators. Minor oversights in data processing practices, when collecting and processing customer data, can lead to lawsuits and fines costing millions to address.

Just over a week ago, the California Consumer Privacy Act (CCPA) imposed its first fine and a beauty product bill Sephora $1.2 million for not informing customers that it was selling their data while claiming on its website that it was not selling personal information.

For companies, this first fine highlights that the regulatory landscape is becoming more and more brutal, with more and more obligations to make clear to users how personal data is collected or processed.

Complying with the rules under a mountain of regulations

The CCPA is just the tip of the iceberg when it comes to regional data protection rules coming into effect in the US, including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Utah Consumer Privacy Act and Connecticut Data Privacy Act.

At the same time, the American Data Privacy and Protection Act (ADPPA) is also slowly moving through the legislative system and, if passed, will implement a federal standard for data protection.

With all of these new regulations coming into effect, organizations are under tremendous pressure to re-evaluate how they handle personal data, and the CCPA’s enforcement against Sephora emphasizes that these rules aren’t going away anytime soon.

“This event shows that California takes privacy seriously and that the CCPA has the teeth to enforce its demands. Any CISO doing business in California, or subject to the CCPA, should now consider themselves that the statute is as real as any other regulatory mandate and that they should act accordingly to get their house in order,” said Andrew Hay, COO at Lares Consulting.

Hay recommends CISOs concerned about the CCPA review their policies with their legal and HR teams to verify that their data collection procedures are in compliance with the regulation.

Data processing becomes a risky game

One of the broader implications of the decision is that data processing will become a risky game. While organizations look to better leverage and monetize data so they can compete more effectively in the marketplace, these expanded processing practices leave the door open for compliance obligations.

“Business leaders are tasked with finding ways to use data to create new revenue streams. Especially with the shift to remote working, permissive access and applications like Google Drive or Slack make it easy to access and distribute information about a company,” said Yotam Segev, co-founder and CEO of Cyera.

“The people or teams involved may have thought they could monetize this data. How many companies are prepared for this kind of action? Security and risk teams need an easy way to answer basic questions such as: What data do I have? Where is it now? Who has access to it? How should it be managed and secured?” said Segev.

If you can’t answer these questions on demand, chances are your data protection processes are exposing you.

Sephora might just be the beginning: think twice before you sell user data

It’s not just companies like Sephora that have faced legal action over the sale of customer data; Oracle is currently facing a class-action lawsuit for collecting, profiling and selling the data of more than 5 billion users.

Even incorrectly collecting data can be a costly decision, most recently highlighted meta settled a lawsuit for $37.5 million after it was accused of violating users’ privacy by tracking users’ movements through their IP address without permission.

In this regulatory environment, the margin of error for data collection and use is small, so organizations need to be much more proactive about what information they collect and make sure they do it in a way that is secure and compliant.

One of the keys to doing this is to be honest and transparent about whether your organization is generating revenue or selling personal data, and not trying to cover up this activity.

“It’s more common for a company to take the stance that they don’t technically ‘sell’ PII [personally identifying information] in the traditional sense, such as a data broker as an example, and then refer consumers to one or all of the preferred centers in the industry, such as AdChoices,” said Brian Mandelbaum, CEO of Clover.

“Unfortunately, these options do not meet CCPA’s standards. This is a huge wake-up call for adtech, data brokers and basically everyone in the community. I bet we’ll see a significant increase in privacy policy updates, don’t-sell-my-data links and disclosures in the coming months,” Mandelbaum said.

Going forward, ensuring transparency about data collection and monetization processes will be key to maintaining compliance.