Sephora Violated Consumer Privacy Regulations

Sephora Violated Consumer Privacy Regulations

October 05, 2022

Sephora has recently undertaken to pay USD 1.2 million for violating California Consumer Privacy Act, which regulates, i.e., limits the collection and sharing of consumers’ personal data, and thus guarantees to consumers certain rights in that regard.


The said cosmetic brand has been subject to the critics after California Attorney General established that it failed to disclose to consumers that it was selling their personal information, nor did it allow them to withhold their consent to performing such activities.

Namely, Sephora illegally monitored online activities of its customers by allowing third parties to install tracking software on its website, and to monitor the location and activities of customers, which data was then used for consumer profiling and targeting them with personalized content.


In addition to paying the previously mentioned fine, by the settlement reached, i.e., the agreement concluded (which is dependent upon court decision, i.e., approval), Sephora has obliged to amend and clarify its privacy policy in an appropriate manner (so that it contains all the necessary information regarding the sale of personal data), to enable consumers to withhold their consent for using their personal data for the said purposes, and to adjust the contractual relations with its suppliers to be in accordance with the provisions of this law. Also, it is obliged to report the activities undertaken in this regard to the Attorney General.

By the way, this settlement agreement is the first one executed pursuant to the provisions of the Consumer Privacy Act since it entered into force on 1 January 2020.

Law enforcement

The subject settlement, however, comes only as a part of the larger action taken by California Attorney General to enforce the law governing the consumer privacy.

Namely, he delivered notices to numerous entities that fall under the scope of this regulation, addressing that they are obliged to harmonize their operations therewith.

This law applies to the companies operating in California, which collect personal data of residents of this country (or on whose behalf collecting is carried out), which (independently or jointly with others) determine the purpose or means of such processing, and which either have at least USD 25 million in annual revenue or possess personal data of at least 50,000 individuals or generate at least 50% of the total annual revenue from the sale of consumer’s personal information.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.