5 lessons from the Sephora CCPA fine: The importance of data privacy in retail
Posted: December 15, 2023
The beauty industry has always been a competitive and dynamic landscape with many brands vying for customer attention in a market worth billions of dollars.
However, with the rise of technology and digital channels, data privacy has become a crucial concern for brands, especially for those that sell directly to consumers.
Recently, Sephora, one of the leading beauty retailers in the world, was hit with a fine for violating the California Consumer Privacy Act (CCPA).
This event undoubtedly sent ripples through the beauty industry and highlights the importance of data privacy in retail.
Let’s explore the lessons that can be learned from the Sephora CCPA fine, the current state of data privacy in retail, and the steps that brands can take to protect their customers’ data.
What happened to Sephora?
In July 2021, the retail giant Sephora experienced a significant setback as it faced a hefty $1.2 million fine due to non-compliance with the CCPA. It is one of the first big companies to be fined under the CCPA.
An extensive investigation revealed that Sephora was improperly handling customers’ private information, leading to a breach of the stringent data protection mandates stipulated by the CCPA.
The state said that Sephora…
- Illegally sold personal data using third-party trackers for targeted ads and discounts on analytics
- Failed to follow opt-out requests that its customers made via browser privacy controls
This incident underscored the importance of businesses strictly adhering to data protection regulations to maintain consumer trust and avoid legal implications.
The CCPA, which was enacted in 2018, is one of the most comprehensive data privacy laws in the United States. It aims to protect California residents’ personal information and empowers them with greater control over their data.
The law mandates businesses that collect personal information from California consumers to disclose what type of data they are collecting, how it will be used, and what third parties it will be shared with. Additionally, the CCPA gives consumers the right to opt-out of their personal information being sold to third parties and the right to have their data deleted upon request.
The CCPA stipulates fines of $2,500 for each violation, $7,500 for each intentional violation, and $750 per consumer per incident in the event of a data breach. These might seem relatively small figures, however, for global brands operating with high volumes, the numbers can quickly add up.
Lesson #1: Understand the CCPA and other global legislation
The Sephora case is just one example of how CCPA violations can result in significant financial penalties.
Under the CCPA, consumers have the right to know what personal information is being collected about them, the right to request that their data be deleted, and the right to opt-out of the sale of their data. Specifically in this case, Sephora allegedly failed to process user requests to opt out of sale via user-enabled global privacy controls (GPC) and cure these violations within the 30-day period currently allowed by the CCPA.
Companies must comply with these regulations or risk being penalized heavily. Thus, it is crucial that brands understand the CCPA inside out, develop policies that meet the CCPA regulations, and put in place measures to ensure compliance. But not only that, brands need to know the logistics
Whilst there are numerous state-led US legislation laws, the CCPA is one of the earliest to launch and is often considered the high bar to meet. The patchwork of different regulations can be complex to navigate for both businesses and consumers, but this Sephora fine draws a definitive line in the sand: that even the biggest brands need to take note or risk both fines and reputational damage.
Lesson #2: Prioritize data privacy in the beauty industry
Any business in the retail industry collects a vast amount of customer data, with beauty being no exception: from skincare routines to purchase history to spending behavior.
This information is vital in creating personalized experiences and marketing campaigns that resonate with customers. However, with such sensitive information comes a considerable responsibility to protect it.
As a company, it’s important to understand your data handling, storage process, and risk. Sephora made the mistake of holding too much data for too long and that led to issues that could have been avoided. Understanding your data means conducting regular data mapping and ensuring that you only hold onto what you need, thus reducing data breach risk.
Brands that prioritize data privacy will be ahead of the curve, gain the trust of customers, and be favored by regulators as well. In contrast, those who neglect data protection policies and procedures may risk ruining their reputation, losing customers to competitors, or receiving a hefty fine.
What challenges do retailers face around data privacy?
Read our retailer’s guide to discover how you can embrace data privacy to win customer trust and in turn, drive revenue.
In this guide, you will learn:
- The business and brand implications of not enacting a good privacy strategy
- What privacy practices you should adopt to help consumers feel in control of their data
- What a Consent and Preference Management platform is and why it’s the answer to your problems
Lesson #3: Embrace transparency
One of the principles underpinning the CCPA is transparency in data collection practices. Brands must be transparent about what data is collected, how it is used, and with whom it is shared. This transparency should extend to your website’s privacy policy, terms and conditions, and opt-in forms.
To be compliant with the CCPA, companies must disclose the personal information they collect and provide an opt-out or “Do Not Sell My Information” option to users. Brands that embrace transparency will engender trust and loyalty among customers, who will appreciate open communication and honesty about what happens with their data.
Sephora’s fine served as a reminder that companies need to be proactive in updating their privacy policies, website disclosures, and user communications to ensure clarity and transparency is present.
Lesson #4: Invest in compliance training
Data privacy is everyone’s responsibility, from executives to employees. Brands should plan to invest in regular compliance training to keep the entire team informed and up-to-date about data security best practices.
Educating employees about the CCPA regulations, data privacy policies, and how to safeguard customer information can go a long way in helping brands to achieve compliance effectively. Furthermore, this training can raise awareness among employees, encouraging them to report any non-compliance issues, which will ultimately protect your customers and your brand’s reputation.
Lesson #5: Pay attention to third-party relationships
The last lesson learned from Sephora’s case is the importance of monitoring third-party relationships that handle consumer data.
Sephora contracted with an outside company to manage its payments and later found out that information was being shared with others without consumers’ consent, and the information was not adequately safeguarded against theft.
A comprehensive vendor risk management program is a critical piece of any compliance program as it would help improve data governance and ensure that third-party service providers are only accessing data within the scope of their duties.
It’s also worth considering implementing technology that can handle high volume consent data at scale. With a consent management platform like Cassie, businesses can accurately collect and store consents across millions of data subjects, with real-time distribution to tech stacks and third-party systems that require acknowledgement.
Far too often businesses rely on either consent mechanisms within their CRM or marketing tools, without considering the wider implications of managing consent across departments and platforms. By centralizing consent in one system with audit trails and validated records of consent, businesses can be confident that they’re not only collecting consent but enforcing and honoring it at every touchpoint.
Final thoughts…
The Sephora CCPA fine serves as a warning for beauty brands operating in today’s data-driven world. Brands must make data privacy a priority and ensure that they are CCPA compliant.
Implementing transparent data policies, investing in employee training, and collaborating with trusted partners can help brands achieve CCPA compliance and avoid any severe financial penalties.
Importantly, prioritizing data privacy will also engender consumer trust and loyalty, leading to a long-term competitive edge.
