August 26, 2022

Novel CCPA/CPRA Enforcement Treats Targeted Ads as Data "Sales"

Portrait Liana Chen
By Liana Chen

Partner

In a novel case, the California Attorney General (AG) has treated targeted ads using third parties, such as through routine marketing and analytics cookies, as data "sales."

What did the AG case address?

In a first-of-its kind action, the AG has settled with Sephora for alleged violations of the California Consumer Privacy Act (CCPA) for $1.2 million. Highlighting the lack of a “Do Not Sell My Personal Information” disclosure and opt-out form, the AG took the position that a “sale” of personal information includes commonly-used targeted advertising using third parties. In particular, taking a broad view of the term “sale,” the AG’s stipulated order defines “Sale using online tracking technology” as a “sale” where personal information is made available to third parties through “online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies . . .” including for analytics or free/discounted products.

The AG also raised an unfair business claim for Sephora’s purported failure to contractually extend its privacy obligations to its vendors (i.e., have appropriate vendor and service provider contract terms) and to recognize opt-outs signaled via the Global Privacy Control (GPC) (i.e., companies should take note as this is an emerging issue). As part of the injunctive relief, Sephora will need to process GPC optouts and undertake privacy assessments and reporting for 2 years.

In a public statement, AG Rob Bonta cautioned, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. . . My office is watching, and we will hold you accountable.”

This follows other proposed and passed privacy legislation, including the California Privacy Rights Act (CPRA), which becomes fully effective on January 1, 2023. Notably, the CPRA created a new California Privacy Protection Agency (CPPA) to replace the California AG as the designated regulator; and the 30-day “cure” period for privacy violations will expire. The CPRA further added requirements for “sharing” of personal information, which expands on the “do not sell” provisions.

What does this mean for companies with online marketing?

Businesses should take the time to review their privacy practices, policies, and contracts and, if an investigation or action arises, seek experienced counsel to assist. Kronenberger Rosenfeld regularly advices clients on privacy and general advertising compliance and litigation matters.

Related Topics

Related Practice Areas

This entry was posted on Friday, August 26, 2022 and is filed under Resources & Self-Education, Internet Law News.



Related articles

Privacy & Cybersecurity

Secure Passwords Are the Key to Your Online

Over 50% of Americans have been a victim of cybercrime, and one of the most common ways criminals gain access to our personal information is by stealing passwords. A strong...

Read Article

Privacy & Cybersecurity

U.S. Privacy and Data Protection | Insights |

Dark Patterns For any business collecting user data, it's crucial to stay informed about the evolving regulatory landscape surrounding "dark patterns" in advertising and data privacy and security practices. Recent...

Read Article

Privacy & Cybersecurity

U.S. Privacy and Data Protection | Insights |

The Federal Trade Commission ("FTC") has continued to be active in the realm of data privacy and security. As an initial matter, it is important to acknowledge that data is...

Read Article

Privacy & Cybersecurity

Updating Terms of Service: What You Need to

It is not uncommon for websites and applications to periodically update their terms of service, as it is a way for businesses to stay diligent with their ever-growing needs as...

Read Article
Get the help you need.

We offer legal advice on a wide range of online topics

Get legal help now

Not seeing what you’re looking for?

Submit your case in 3 minutes and get legal help fast.

Submit your case online

OR

Give us a call
Join our mailing list

Stay ahead of legal matters

The internet moves fast. We'll keep you informed.