The recent first enforcement of the California Consumer Privacy Act (CCPA) set the stage for domestic regulation of data privacy and how companies might navigate the collection and use of customer data, including its sale to third parties.

Personal care and beauty products retailer Sephora agreed to pay a $1.2 million fine in a settlement with California in response to a complaint filed by Rob Bonta, the state’s attorney general. The accusations claimed Sephora did not inform consumers that their personal information was being sold while allegedly stating on its website that it did not sell personal information. The complaint further alleged Sephora did not offer an easy-to-find link on the web or its app that customers could use to opt out of the sale of their personal information.

Growing regulations are starting to take hold on data privacy and collection, though enforcement may come as a trickle, for now, rather than a flood, says Cobun Zweifel-Keegan, International Association of Privacy Professionals’ (IAPP) managing director in Washington, D.C. The Sephora settlement though shows that the state is actively enforcing the law. “This should not be completely surprising to anyone who has been following … the way that California regulators have been talking about their interpretations of [CCPA],” he says. “This is the bringing into reality of those interpretations and making it clear that there are enforcement teeth behind the requirements in the CCPA.”

Zweifel-Keegan says the introduction of more enforcement bodies will likely lead to more cases, including in other states such as Colorado, which is finalizing its data privacy regulations.

California attorney general’s focus on “Do Not Sell” and the use of ad providers was also not where the community expected regulators to move first, says DataGrail CEO Daniel Barber. “I don’t think the Sephora response was what the community actually expected,” he says. “This kind of put shockwaves through the industry.”

The AG’s moves may have put privacy professionals on the backfoot, Barber says, and raised questions about ad tech that relies on customer information, which companies might see as collection and processing rather than being sold. “Any business that uses ad providers really is put into question whether they’re selling information or not,” he says.

What Constitutes a Sale?

There are different perspectives, Barber says, on what constitutes a sale. For example, what if information is exchanged between companies without money changing hands? “Many in the community would have argued that was not the ‘sale’ of information,” he says. “Now it is very clear the AG intends to take a stand on this particular definition, an ad tech definition, being included as part of the concept of ‘Do Not Sell.’” Other state-level regulations may have similar constructs to CCPA, Barber says. “The impact will be ongoing for the coming months.”

Data collection and privacy is an increasingly complex issue that has come to include concerns about how consumers are targeted with ads, judged by financial lenders, and inferences that might be made about women’s health as numerous states enact anti-abortion laws.

Some of the language in California’s complaint and settlement with Sephora helps to frame the perspectives regulators might adopt. For example, California’s complaint cited tracking software on Sephora’s website and app that let third parties monitor consumers, give the companies insight on the types of computers the consumers used, personal location, and the types of products added to their online shopping carts. The third parties could then present analytics based on such information to Sephora to better target digital ads.

There is more regulatory legislation in the works. For example, California legislators are working on a privacy law to prohibit the creation and use of so-called addictive features on social media. California is also working on privacy protections for minors who go online. “They’re really conceived around kid and teen safety,” Zweifel-Keegan says. “They do have implications for privacy in that they will impact how companies collect and process personal information.”

Surveillance Practices

California’s regulators went on to describe such practices as “third-party surveillance,” which is comparable to the Federal Trade Commission calling out “commercial surveillance” recently in reference to the collection, analysis, and commercial profit gained from data gathered from the public.

Zweifel-Keegan says organizations should have contracts between data controllers and data processors or between companies and their service providers to specify what the purpose is behind the processing of personal information from customers and what the limits should be. “That is something that came up in the Sephora case because it appears that there were some of the third-party entities that can collect personal information through publishers’ websites,” he says.

There is also the matter of presenting clear options for customers to opt out of allowing their information to be gathered and sold. The privacy community, Zweifel-Keegan says, is thinking about what it means to offer useable choice mechanisms for consumers with discussions on how they are presented. “There’s a lot of talk about ‘choice fatigue’ -- having too many pop-ups, too many questions,” he says. “It leads to consumers not necessarily feeling like they’re in the driver’s seat.”

Zweifel-Keegan says the settlement between Sephora and California does put into perspective that data collection, privacy, and related analytics will likely face more scrutiny across the market. “It’s not just big tech that needs to think about privacy,” he says. “That’s a clear message California’s sending by coming to a company like Sephora.”

What to Read Next:

What the FTC’s Scrutiny of Data Collection and Security May Mean

Can Data Collection Persist Amid Post-Roe Privacy Questions?

Roe v. Wade and the New, Murky Data Privacy Morass

What Federal Privacy Policy Might Look Like If Passed