Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data

Sephora claims it respects consumer privacy and “strives to be transparent about how their personal information is used” to improve customer experience.
Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data

The world’s leading cosmetics and beauty products manufacturer Sephora will pay a fine of $1.2 million to settle claims with a California district court.

The fine was brought under the California Consumer Privacy Act (CCPA) 2018 after more than a hundred retailers were examined for compliance with the act. The law was implemented primarily to ensure consumers can control the kind of data businesses can collect.

The Accusation

The company allegedly breached the California Consumer Privacy Act by ignoring to inform its customers that it sold their data. The company also failed to honor consumer requests to avoid selling their data by using the opting-out feature on its website.

Furthermore, Sephora ignored customers’ requests who signed through a Global Privacy Control supporting browser/extension and didn’t want to sell their private data. Instead, it allowed third-party firms, including marketing, advertising, and data analytics companies, to access its customers’ online activities in exchange for their services.

To do so, third parties created profiles of customers and accessed personal data like their shopping cart items, device details, and location, court documents revealed. The court was further informed of the following:

“Consumers are constantly tracked when they go online. Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop. Third parties track all types of data; in Sephora’s case, third parties can track whether a consumer is using a MacBook or a Dell, the brand of eyeliner that a consumer puts in their “shopping cart,” and even the precise location of the consumer.”

“Some of these third-party companies create entire profiles of users who visit Sephora’s website, which the third parties then use for Sephora’s benefit. For example, the third party might provide detailed analytics information about Sephora’s customers and provide that to Sephora, or offer Sephora the opportunity to purchase online ads targeting specific consumers, such as those who left eyeliner in their shopping cart after leaving Sephora’s website. This data about consumers is frequently kept by companies and used for the benefit of other businesses, without the knowledge or consent of the consumer.”

Sephora’s Response

However, Sephora claims it respects consumer privacy and “strives to be transparent about how their personal information is used” to improve customer experience.

“Sephora was not the target or victim of a data breach, and this agreement with the California Office of the Attorney General (“OAG”) does not constitute an admission of liability or fault by Sephora. We have always cooperated fully with the OAG and Sephora’s practices are already in compliance with the CCPA.”


Furthermore, Sephora explained that it uses data “strictly for Sephora experiences” and that the CCPA doesn’t define SALE in its conventional sense. That’s because traditionally, Sale entails industry-wide implemented standard practices like cookies that allow the company to provide its customers “more relevant Sephora product recommendations,” customized shopping experiences, and advertisements.

Consumers can simply opt-out of this by “CA- Do Not Sell My Personal Information. The link is available on the Sephora website footer, the company said.

In a comment to, Yotam Segev, co-founder, and CEO of a cloud-native data security platform Cyera said that “What I find most interesting about the Sephora settlement is that it started with a spot-check audit of more than 100 retailers. This is the sort of thing that keeps security and risk professionals up at night.”

According to Segev, “Business leaders are tasked with finding ways to leverage data to create new revenue streams. Especially with the shift to remote work, permissive access and applications like Google Drive or Slack make it easy to access and spread information across a business.”

“The people or teams involved may have believed they were permitted to monetize this data. How many businesses are prepared for this kind of action? Security and risk teams need a simple way to answer basic questions like What data do I have? Where is it now? Who is accessing it? How should it be governed and secured? Those are questions you need answers to at your fingertips, not something to be found after a lengthy audit process following a security incident,” Segev emphasized.

CCPA Details

The law entails that Californian consumers are entitled to know what information a business can collect, how they can use it, and the option to delete the data a company collected from them.

For your information, the act applies to for-profit retailers doing business in California earning gross annual revenue of more than $25 million and also to companies that buy, sell, or receive the personal data of 50,000+ devices, residents, and households in California and derive over 50% of their annual revenues from selling the residents’ private data.

The settlement resulted from a year-long Enforcement Sweep channeled by California Attorney General Rob Bonta. He investigated Sephora and many other businesses to check if any of them breached the CCPA.

  1. Cambridge Analytica scandal: Facebook hit with $1.6 million fine
  2. IT guy from FEMA hacked medical center, sold data on dark web
  3. Ticketmaster hacked a rival and now it’s paying a $10m fine for it
  4. Kids luxury clothing store Melijoe exposed 200GB of customers’ data
  5. How much does a data breach cost? + How to prevent it (Best practices)

Related Posts