U.S. Privacy Enforcement Heats Up: 1.2 Million Reasons to Respect Privacy Rights

U.S. Privacy Enforcement Heats Up: 1.2 Million Reasons to Respect Privacy Rights
Estimated Reading Time: 7 minutes

On Aug. 24, California’s Attorney General announced a settlement for $1.2 million with a powerhouse beauty retailer (Sephora) due to a violation of consumer privacy rights related to opt-outs under the California Consumer Privacy Act (CCPA). Specifically, the company was found to be using third-party marketing and advertising platforms for targeting activities. Users were not given the ability to effectively opt-out of the collection of their data for these targeting purposes.

Advertisers are waking up to the news asking:

“Wait, aren’t we doing that also?”

“Could we be at risk?”

The answer? Yes and yes

Let’s review this news and what you should be doing now to avoid such headlines.

What was the violation?

Per the California Attorney General, the violation was centered around:

  1. Failure to disclose to consumers that they were selling their personal information.
  2. Failure to process user requests to opt out of the sale via user-enabled global privacy controls.
  3. Failure to cure these violations within the 30-day cure period following initial notification as currently allowed under the CCPA.

“Selling their personal information”—what does that mean in this context?

This means that a company is found using third-party platforms (marketing and advertising technologies) to collect data while consumers are shopping on its digital properties. These third-party platforms could create profiles about consumers based upon things like their device type, brand of products viewed, products being added to a “shopping cart”, and location data. Because a company benefits from these activities by being able to more effectively target potential customers, the activities are found to be within the “selling” definition. 

Ummmm, this sounds a lot like standard digital advertising… Are you saying we’re also “selling” consumers’ personal information?

If you are using any third-party platforms to monitor user behavior on your digital properties and creating audiences for targeting through those platforms, then yes, you are “selling” consumers’ personal information as defined in the CCPA. 

So, then what do we need to do?

Here are the specific injunctive terms related to the recent settlement that can be instructive. You must:

  1. Clarify online disclosures and privacy policies to include affirmative representation that you sell data;
  2. Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control; and
  3. Conform your service provider agreements to the CCPA’s requirements

It is also important to note that if you find yourself the next to be served a notice, you’ll need to provide documentation of how you are addressing each of these points. This is just for the “selling” activities; CCPA has other requirements that you’ll want to make sure are addressed, as well as the Attorney General ramps up other enforcement sweeps to ensure compliance. 

When you say “provide mechanisms for consumers to opt out,” what would those be?

The best place to start is with a Consent Management Platform (CMP). This you will use to manage the actual opt-out experience for users and raise the indication to third-party technologies on your digital properties that the user has opted-out of the sale of their personal information. 

Once the mechanism to allow users to express their opt-out wish is present, you’ll then need to begin restricting third-party platform behavior accordingly. A company can choose to go the blunt route of blocking third-parties from loading and collecting any data upon the user opt-out request, or it could go with a more scalpel approach and just restrict activities that are part of the “sale” process. Here’s a guide that we put together for options with Google Analytics 4 as an example.

I saw something called “Global Privacy Control” was mentioned. What is this?

In the most recent round of draft regulations published by the California Privacy Protection Agency, the concept of “global opt-outs” took center stage. These are mechanisms that allow a user to indicate a global preference to opt-out of things like the “sale” of their personal information that would be set at the browser or device level. Essentially, something a person turns on in their browser and then every website they visit would need to respect the indication as an opt-out. Global Privacy Control is one of the leading mechanisms that users have for this. 

It is really important to make sure that whatever solution you end up using to listen for consumers’ privacy preferences, be that a CMP or a home grown solution, has support to respect these signals. 

Makes sense, I think. You also mentioned a 30-day cure period in the case of a violation—this means I have some time even if California does send us a notice, right?

Unfortunately, the 30-day cure period clause expires on Jan. 1, 2023. After that date, if you are not properly respecting user opt-out requests, then you will be at risk of an immediate violation. In the words of California Attorney General Rob Bonta, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.” 

I’ll let you be the judge if you think the California Attorney General will be aggressive in this enforcement. 

This seems like a lot. How am I supposed to handle this along with everything else I’m responsible for?

Fear not! Partners such as InfoTrust can help you understand what is required, as well as actions your organization should be taking now to properly implement technologies such as Google Analytics 4 and consent management platforms. We work with hundreds of global organizations to help them build privacy-centric data architectures that respect user privacy rights while still addressing core business use cases. From audits of your consent architecture, to configuration of third-parties on your website to respect user privacy preferences, to helping glean insights from the data that is compliantly collected, we can provide the knowledge and experience your team needs.

**Important – The information covered in this article is not intended to be legal advice or counsel. You should not act or refrain from acting on the basis of any content included in this article regarding legal compliance without obtaining appropriate legal guidance. The contents of this article contain general information related to various laws and regulations, but may not reflect your current situation. In addition, applicable laws and regulations regularly change. This is particularly true with respect to data privacy laws and regulations. Therefore, any laws and regulations described or otherwise referenced in this article may not be current when you read the article or even at the time of publication. We disclaim all liability for actions you take or fail to take based on anything in this article. Any action you take or any action you refrain from taking based on the information in this article is entirely at your own discretion and risk.**

Questions or concerns?

Contact the privacy-centric digital analytics team at InfoTrust today.


  • Lucas Long

    Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

Originally Published: August 25, 2022

Subscribe To Our Newsletter

January 17, 2023
Originally published on August 25, 2022

Other Articles You Will Enjoy

A South Asian First: Sri Lanka’s Personal Data Protection Act

A South Asian First: Sri Lanka’s Personal Data Protection Act

I know I covered India’s DPDPA first, but, as it turns out, Sri Lanka beat them to the punch. Sri Lanka’s Personal Data Protection…

6-minute read
HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

If you are a healthcare organization operating in the United States, you are likely aware of the significant increase in the focus on the…

9-minute read
Safeguarding Tomorrow: The Importance of Evaluating Compliance Risk Today

Safeguarding Tomorrow: The Importance of Evaluating Compliance Risk Today

It happens every day: marketing purchases a new platform with the promise of helping the organization meet and exceed business targets. When it comes…

7-minute read
AdTech DNA Simplifies the Complex for Global Advertisers

AdTech DNA Simplifies the Complex for Global Advertisers

As a global advertiser, knowing what is happening across your organization is an endeavor wrought with complexity.  Are your advertising technologies implemented correctly?  Do…

3-minute read
Safeguarding Privacy: South Africa’s Protection of Personal Information Act (PoPIA)

Safeguarding Privacy: South Africa’s Protection of Personal Information Act (PoPIA)

South Africa’s Protection of Personal Information Act (PoPIA) empowers its citizens with enforceable rights over their personal information. The law establishes eight minimum requirements…

9-minute read
Get to Know India’s Landmark Privacy Legislation: Digital Personal Data Protection Act (DPDPA)

Get to Know India’s Landmark Privacy Legislation: Digital Personal Data Protection Act (DPDPA)

The origins of India’s Digital Personal Data Protection Act (DPDPA) began in 2012 when a report from a committee headed by a former judge…

5-minute read

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.