Novel CCPA/CPRA Enforcement Treats Targeted Ads as Data "Sales"

In a novel case, the California Attorney General (AG) has treated targeted ads using third parties, such as through routine marketing and analytics cookies, as data "sales."

What did the AG case address?

In a first-of-its kind action, the AG has settled with Sephora for alleged violations of the California Consumer Privacy Act (CCPA) for $1.2 million. Highlighting the lack of a “Do Not Sell My Personal Information” disclosure and opt-out form, the AG took the position that a “sale” of personal information includes commonly-used targeted advertising using third parties. In particular, taking a broad view of the term “sale,” the AG’s stipulated order defines “Sale using online tracking technology” as a “sale” where personal information is made available to third parties through “online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies . . .” including for analytics or free/discounted products.

The AG also raised an unfair business claim for Sephora’s purported failure to contractually extend its privacy obligations to its vendors (i.e., have appropriate vendor and service provider contract terms) and to recognize opt-outs signaled via the Global Privacy Control (GPC) (i.e., companies should take note as this is an emerging issue). As part of the injunctive relief, Sephora will need to process GPC optouts and undertake privacy assessments and reporting for 2 years.

In a public statement, AG Rob Bonta cautioned, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. . . My office is watching, and we will hold you accountable.”

This follows other proposed and passed privacy legislation, including the California Privacy Rights Act (CPRA), which becomes fully effective on January 1, 2023. Notably, the CPRA created a new California Privacy Protection Agency (CPPA) to replace the California AG as the designated regulator; and the 30-day “cure” period for privacy violations will expire. The CPRA further added requirements for “sharing” of personal information, which expands on the “do not sell” provisions.

What does this mean for companies with online marketing?

Businesses should take the time to review their privacy practices, policies, and contracts and, if an investigation or action arises, seek experienced counsel to assist. Kronenberger Rosenfeld regularly advices clients on privacy and general advertising compliance and litigation matters.