Thought Leadership

Sephora Data-Privacy Penalties Sound Alarm for Marketers

consumer data
Share this!

Marketers are taking notice of California’s data-privacy laws after cosmetics retailer Sephora agreed last month to pay $1.2 million in penalties for alleged violations involving its targeted-advertising practices.

As NBC News reports, California Attorney General Rob Bonta said Sephora sold its customers’ data without their consent. Sephora also failed to process people’s requests to opt out of their information being sold, Bonta’s office said. Sephora reportedly had an arrangement with third-party companies to monitor customers as they shopped.

Sephora said in a statement that the California law does not define “sale” in the traditional sense of the term. In the state’s definition, Sephora said, “‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads.”

As The Wall Street Journal reports, many companies affected by the California Consumer Privacy Act, which took effect in 2020, didn’t take significant steps to ensure compliance because they mistakenly believed the regulations didn’t apply to them or thought the risks were minimal. The act regulates tracking technology that lets businesses target ads to people who have visited their websites.

Jodi Daniels, CEO of privacy-consulting firm Red Clover Advisors, says her company has been discussing the matter with retailers, publishers, tech companies and business-to-business marketers that handle large quantities of consumer data but have little understanding of the law’s requirements.

On Jan. 1, 2023, a new law called the California Privacy Rights Act will take effect, expanding and amending the existing California law. The new act will increase consumers’ ability to limit the collection of their sensitive personal information, including location data. Similar laws will take effect in Virginia, Colorado, Connecticut and Utah next year.

Data policies have traditionally been the responsibility of a company’s legal counsel or privacy director, but California’s regulations focus on practices typically managed by the marketing department.


For further reading: Using Data Ethically to Inform PR Strategies (Strategies & Tactics, September 2022)

Illustration credit: kentoh

About the author

PRSA Staff

Leave a Comment