Call Now 888.400.5530

ITRC-logo-color-final
Search
Close this search box.
Podcast
itrc-notified-powered-by-white-logo.svg

The Weekly Breach Breakdown: Don’t Get Caught with Your Hand in the Cookie Jar – CCPA Violation Leads to $1.2M Fine

  • 09/16/2022
  • 3
  • 25
Play Episode
Listen On
  • The California Consumer Privacy Act (CCPA) has been around for years. However, the California Attorney General (AG) recently issued its first CCPA violation (an agreement with Sephora on a $1.2 million fine).
  • The CCPA gives consumers privacy rights and imposes obligations on certain businesses if they have customers in California. Companies subject to the law must inform consumers if they collect, store, use or sell that information and allow them to opt-out.
  • Sephora was partnering with companies that could see the type of device a customer was using to access the company’s website, shopping cart items and precise location data. However, Sephora’s website claimed the company did not sell personal information.
  • To avoid a CCPA violation, businesses should 1) See if they are subject to the CCPA, 2) See if they are sending or receiving data from a CCPA-compliant vendor, and 3) Check and see if their vendor’s tools are privacy friendly.
  • To learn about data compromises, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) improved data breach tracking tool, notified.
  • If you believe you are the victim of an identity crime, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

Don’t Get Caught with Your Hand in the Cookie Jar

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for September 16, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, we talk about the first enforcement action taken under California’s Consumer Privacy Act, also known as the CCPA. California’s strict privacy law has been around since 2018. However, the State Attorney General (AG) has just reached an agreement with the retailer Sephora to pay a $1.2 million fine following a CCPA violation. While we’re talking about a California law, this decision could have a wide-ranging impact beyond the Golden State and the retail sector.

What is the CCPA?

The CCPA gives consumers a series of privacy rights and imposes related obligations on certain businesses if they have customers in California. Chief among the obligations, companies subject to the law must inform consumers if they collect, store, use or sell that information and allow them to opt-out. Hence the reason for today’s episode title – “Don’t get caught with your hand in the cookie jar.”

CCPA Violation Issued to Sephora

Sephora was partnering with companies that could see the type of device a customer was using to access the company’s website, shopping cart items and precise location data. However, Sephora’s website claimed the company did not sell personal information.

Also, according to the State, Sephora failed to configure the company’s website to allow visitors to opt-out of having their personal information sold even when they selected the option to do so. The company was also sharing data that could allow a third party to make conclusions about a person’s health, including pregnancy.

What This Means for Businesses Using Web Analytics in Digital Marketing

Here are three questions to help you determine if you need to review your marketing practices to avoid a CCPA violation.

  1. Are you subject to the CCPA? If you are, ensure you understand your obligations to inform consumers and give them the opportunity to opt-out of data sales (and the other rights they are given under the Act.)
  2. Are you sending or receiving data from a CCPA-compliant vendor? California considers common web analytics tools like Facebook pixel, for example, to be selling personal data to Facebook unless Facebook is your web analytics vendor. Businesses that share personal data but don’t want to be classified as selling that information should consider adding specific contract provisions that limit the use of shared data.
  3. Are your vendors’ tools privacy friendly? Consider using a vendor that offers services designed to be privacy compliant. Facebook and Google, for example, offer “limited” or “restricted” data and tools that are considered to be CCPA-friendly.

If you have questions about the CCPA and how it might apply to you so you can avoid becoming the next Sephora, be sure to check with your legal counsel.

Contact the ITRC

If you think you have been the victim of an identity crime, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Next week, be sure to listen to our sister podcast, the Fraudian Slip, when we discuss our 2022 Consumer Impact Report, which looks at how people are affected by identity crimes. Also, in October, we’ll publish our report on how small businesses are impacted by identity crimes and cyberattacks.

We will return in two weeks with another episode of the Weekly Breach Breakdown.

Related Resources

See all Podcasts here
notified-ad.png

Get ID Theft News

Stay informed with alerts, newsletters, and notifications from the Identity Theft Resource Center

notified-ad.png
© Copyright 2024- Identity Theft Resource Center

This product was produced by the ITRC under 2018-V3-GX-K007, awarded by the Office for Victims of Crime, Office of Justice Programs, U.S. Department of Justice. The opinions, findings, and conclusions or recommendations expressed in product are those of the contributors and do not necessarily represent the official position or policies of the U.S. Department of Justice. View more about our copyright info here.