Friday 08 26, 2022

Novel CCPA/CPRA Enforcement Treats Targeted Ads as Data "Sales"

Portrait Liana Chen
By Liana Chen


In a novel case, the California Attorney General (AG) has treated targeted ads using third parties, such as through routine marketing and analytics cookies, as data "sales."

What did the AG case address?

In a first-of-its kind action, the AG has settled with Sephora for alleged violations of the California Consumer Privacy Act (CCPA) for $1.2 million. Highlighting the lack of a “Do Not Sell My Personal Information” disclosure and opt-out form, the AG took the position that a “sale” of personal information includes commonly-used targeted advertising using third parties. In particular, taking a broad view of the term “sale,” the AG’s stipulated order defines “Sale using online tracking technology” as a “sale” where personal information is made available to third parties through “online tracking technologies such as pixels, web beacons, software developer kits, third party libraries, and cookies . . .” including for analytics or free/discounted products.

The AG also raised an unfair business claim for Sephora’s purported failure to contractually extend its privacy obligations to its vendors (i.e., have appropriate vendor and service provider contract terms) and to recognize opt-outs signaled via the Global Privacy Control (GPC) (i.e., companies should take note as this is an emerging issue). As part of the injunctive relief, Sephora will need to process GPC optouts and undertake privacy assessments and reporting for 2 years.

In a public statement, AG Rob Bonta cautioned, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. . . My office is watching, and we will hold you accountable.”

This follows other proposed and passed privacy legislation, including the California Privacy Rights Act (CPRA), which becomes fully effective on January 1, 2023. Notably, the CPRA created a new California Privacy Protection Agency (CPPA) to replace the California AG as the designated regulator; and the 30-day “cure” period for privacy violations will expire. The CPRA further added requirements for “sharing” of personal information, which expands on the “do not sell” provisions.

What does this mean for companies with online marketing?

Businesses should take the time to review their privacy practices, policies, and contracts and, if an investigation or action arises, seek experienced counsel to assist. Kronenberger Rosenfeld regularly advices clients on privacy and general advertising compliance and litigation matters.

This entry was posted on Friday, August 26, 2022 and is filed under Resources & Self-Education, Internet Law News.

Related articles

Privacy & Cybersecurity

Firm Files Lawsuit Against Uphold HQ Inc Over

On February 25, 2022, Kronenberger Rosenfeld attorneys Karl Kronenberger and Kate Hollist filed a putative class action lawsuit against Uphold HQ, Inc., the company that runs the cryptocurrency exchange...

Read Article

Privacy & Cybersecurity

Disparity between California’s Privacy Laws and Class Action

The enactment of the California Consumer Privacy Act (“CCPA”) in 2019 strengthened certain privacy protections for consumers. The CCPA protects consumers by requiring businesses to “inform consumers as to the...

Read Article

Privacy & Cybersecurity

How to Keep Up With New Privacy Laws

There has been a wave of emerging and detailed privacy laws from the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), to the General...

Read Article

Privacy & Cybersecurity

CCPA Opt-out Buttons as Options for CCPA Compliance

The proverbial dust from the implementation of the California Consumer Protection Act (“CCPA”) has settled. And at this point, most businesses are aware that under the CCPA, California residents have...

Read Article
Get the help you need.

We offer legal advice on a wide range of online topics

Get legal help now

Not seeing what you’re looking for?

Submit your case in 3 minutes and get legal help fast.

Submit your case online


Give us a call
Join our mailing list

Stay ahead of legal matters

The internet moves fast. We'll keep you informed.