The California Supreme Court recently settled with beauty retail giant, Sephora, in a landmark consumer privacy law case. The state Attorney General alleged that Sephora “failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt-out of sales via user-enabled global privacy controls in violation of the CCPA (California Consumer Privacy Act), and that it did not cure these violations within the 30-day period currently allowed by the CCPA. Given the increasing scrutiny and enforcement of privacy laws, it's crucial for businesses, especially those based in California, to ensure they are compliant. One way to do this is by setting up a California LLC, which can provide the necessary legal protections and structure for your business.”

The settlement requires Sephora to pay $1.2 million in penalties. As the impact of this decision sets in, what lessons can retailers and brands learn about data compliance?

Your Company Can’t Ignore Privacy Laws

Online retailers have benefited from lax enforcement of privacy laws in the past. But they should expect stricter enforcement of the rules moving forward. As web browsers enable support of the Global Privacy Control (GPC) signal (whether by default or with an extension), it will empower online shoppers to specify their privacy preferences. California Attorney General Rob Bonta noted, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale.”

If this recent case is any indication, companies that don’t focus on compliance will face stiff monetary penalties, along with significant damage to their brand. 

But what if your company isn’t based in California? Do you even need to worry about this precedent? Well, according to the National Conference of State Legislatures, five states — California, Colorado, Connecticut, Utah, and Virginia — already have comprehensive consumer data privacy laws in place. And at least 15 states are currently considering consumer privacy legislation.

With greater enforcement of privacy laws, what do brands need to do to remain compliant?

Maintaining Data Privacy Law Compliance

In addition to the CCPA, companies are now looking to maintain compliance with the EU’s data privacy directive, the GDPR (General Data Protection Regulation), as many companies based in the US fall within the GDPR’s reach. In fact, states that already have data privacy laws on the books borrowed heavily from the GDPR’s framework.

What steps do retailers and brands need to take to stay compliant with data privacy laws and avoid fines and penalties?

• Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data
• Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control
• Conform its service provider agreements to the CCPA’s (and GDPR’s) requirements

If your website was not designed with these regulations in mind (most were not), then now is the time to make the necessary changes to your website. Here’s where to start:

• Evaluate your website to ensure all content and links are up to date with CCPA and GDPR guidelines
• Contact your ESP and third-party data platforms to make them aware of any concerns you may have about violations
• Re-evaluate providers if they are unable or unclear on how they keep data safe under regulations

In addition to these steps, being a Listrak client helps brands maintain data privacy compliance. Listrak Information Security has protocols in place to document breach notification to clients as well as full GDPR and CCPA support in cases of customer requests for data or for erasure. Opt-out is handled automatically with in-message links and feedback loops with all major ISP platforms.

Data Privacy Laws Are Here to Stay

This California v. Sephora decision is a wake-up call for retailers that have been putting off CCPA and GDPR compliance. It shows that states and regulatory bodies are serious about enforcing the laws and penalizing violators. Listrak can help you stay compliant, secure your data, and maintain the hard-won trust of your customers.

Is your current Digital Marketing vendor(s) keeping you compliant and your data safe? If you have concerns, reach out to Listrak to learn about a partnership. Also, ask how Listrak’s GXP is collecting zero- and first-party data for retailers like you.