back to article Sephora to pay $1.2m to settle Cali privacy law claims – and why this is a big deal

Sephora has agreed to cough up $1.2 million to settle claims it broke California's privacy law. This is the first pay out the US state has secured using the relatively new legislation – and will be a shot across the bows of corporations selling information about people without their full consent. The settlement follows Cali …

  1. Auntie Dix Bronze badge
    Thumb Up

    "My office is watching, and we will hold you accountable."

    Well done, AG Bonta!

  2. Anonymous Coward
    Anonymous Coward

    I have but one question

    If a company does not SELL client information but only gives it away, that is still illegal too, no?

    The answer should be yes, but that would put every company which allows WhatsApp potentially at risk. I suspect Zuck could get quite upset about that (in his very private I-bought-out-all-my-neigbours mansion).

    For your Europeans out there, that IS already illegal in Europe if the address book on the phone in use contains but one personal contact detail of someone who has not goven explicit permission for this to happen..

    1. OhForF'

      Re: I have but one question

      The article says:

      It's worth noting, however, that the California Privacy Rights Act (CPRA), which expands the CCPA and goes into effect in January 2023, also mandates companies not "share" folks' personal information with third parties.

      so it is probably not yet illegal to share data without selling it in California but will be start of next year.

      The regulatory capture in California (and the rest of the US) must be going pretty strong if it is really significant that the AG is going after a company in a case he seems willing to settle instead of actually creating a legal precedent.

    2. low_resolution_foxxes Silver badge

      Re: I have but one question

      Depends what the wording is.

      In this context a better word is "trade", because if they are trading information about customers with 3rd parties, without consent, for financial gain -

      Well that is technically a commercial relationship.

      It sounds like a good development. Marketing droids remain the worst offenders on stuff like this. A desire to "gain audience insights" and a typical lack of IT knowledge, combined with a complete disinterest in customer privacy is never a good mix. It is literally not in their career interests to have customers requesting privacy.

    3. MachDiamond Silver badge

      Re: I have but one question

      "If a company does not SELL client information but only gives it away, that is still illegal too, no?"

      The don't "sell" the information now. They "share" it with their "partners". Their partners share their revenue with them or reciprocate "in-kind". All weasel wording that can be reduced down to a an exchange of one thing for another or, more simply, a sale.

      1. BobTheIntern

        Re: I have but one question

        Also, what constitutes a Third Party or Partner organization?

        I would hazard that Zuck & Co. would argue that InstaBook is FaceGram is WhatsItToYouApp... which is to say it's all Meta.

        1. MachDiamond Silver badge

          Re: I have but one question

          "Also, what constitutes a Third Party or Partner organization?"

          A "partner" is a customer. The information offered for sale is that of a "user". A stockholder is defined as corporate management with stock and stock options when a statement talks about a company doing something for the benefit of stockholders.

          It's not the governments that want society to be cashless, it's the large companies. If you are forced to pay via a method that it tied to you, they love it. Cash is far too autonomous when marketing data needs to be much more precise than just numbers of units sold.

    4. Anonymous Coward
      Anonymous Coward

      Re: I have but one question

      "For your Europeans out there, that IS already illegal in Europe if the address book on the phone in use contains but one personal contact detail of someone who has not goven explicit permission for this to happen.."

      I believe that the likes of Facebook will point out that the "entity" doing the sharing is the phone's owner, not Facebook and that you should take it up with the phone owner (i.e. your family/friends/acquaintances). Indeed I assume there is some Facebook legalise that states that they expect/assume the phone owner has obtained permission from individuals to share their personal data - which then theorectically gets Facebook off the hook. The GDPR has an exemption for "domestic activities" and so no action will ever be taken against the individuals (phone owners) doing the sharing.

      It would however be a different matter if it's a company phone as the domestic GDRP exemption obviously does not apply in that situation.

      I would have thought that the fact that Facebook intended this sharing to occur as part of their apps design, and that they are relying on the majority of people to not read any legalise that might appear, would put them "in the frame" for causing such sharing to occur but I've seen no sign of any of the European Data Protection regulators considering this.

      1. Falmari Silver badge

        Re: I have but one question

        I think the GDRP requires more than just an assumption on Facebook's part that the sources of personal data they are collecting and storing have permission to share what is other's personal data.

        1. Anonymous Coward
          Anonymous Coward

          Re: I have but one question

          "I think the GDRP requires more than just an assumption on Facebook's part that the sources of personal data they are collecting and storing have permission to share what is other's personal data."

          Facebook's way was to put some legalise in their T&Cs/Privacy Notice for the app that the person with the phone (who is doing the address book sharing) by doing that sharing is agreeing that *they* have obtained permission from the individuals for the sharing. It's Facebook's way to shift the "blame" onto someone else.

          However this doesn't change the fact that, even if the phone owner did obtain permission, that Facebook would be acting as either a Data Processor (for the phone owner) or else a Data Controller in their own right for the shared personal data and its not clear (i.e. not transparent - where's the Privacy Notice explaining this?) as to the nature of Facebook's role in that scenario as either a Data Processor or Data Controller.

    5. Anonymous Coward
      Anonymous Coward

      Weasel words let weasels wriggle and wriggle

      "Sale" gets tricky, as if you take a narrow view then the company will "trade" or "gift" the data to whatever third party they want, then coincidentally that company will pay generously for some other valueless "service" to white wash the books.

      If you don't believe me look into how the US radio stations laundered literal pay-for-play money by buying stations radio playlists, a practice that continued well into the internet streaming era.

      Also, being an idiot who fell of the turnip truck and just giving data to a 3rd party with no return of value should still be actionable if that party uses or discloses that information against the consent or without the knowledge of the object of that data. Because you know, ...they are people. And as we are seeing across the American south, leaking someone's purchase of prenatal vitamins could result in stalkers, vigilante lawsuits, or murder charges.

      This is some of many reasons that data transfers need to be regulated and restricted, opt-in only, and revocable. They also need sharp enough teeth that companies won't risk or just decide to pay the fines. Yes the companies will whine, no the world won't end, and few people will miss the scumbag outfits this will kill off.

  3. John Smith 19 Gold badge
    Gimp

    Probably not enough. It's *our* data. Not theirs

    At that level they will consider it a "Cost of doing business" rather than a real stop-f**king-doing-this.

  4. Doctor Syntax Silver badge

    I'm not sure it's that big a deal. A big deal would be a criminal conviction and a fine. A modestly sized but just about reasonable deal would be a settlement that includes an admission of guilt and a ban on subsequently spouting bollocks claiming they did nothing wrong.

    1. Anonymous Coward
      Anonymous Coward

      a ban on subsequently spouting bollocks claiming they did nothing wrong

      I agree. Personally I think that is one of the things very wrong with the US legal system: the ability to claim innocence because you have the money to buy yourself out.

      1. Doctor Syntax Silver badge

        The money to buy out should also be large enough to ensure the shareholders take action such as replacing the board with one which will sue their predecessors, fire the CEO and sue him as well. It shouldn't be enough to write off as a cost of doing business.

      2. Dimmer

        Regardless of what side you are on, take a look at how the 2000 mules video acquired the data to support their clams. With enough money, you can track anyone. The info is for sale.

        Think you can block it?

        I did a test on an Android phone. Installed a VPN in tunnel all mode to a firewall that blocked everything except DNS and one website. Sniffing the WiFi signal it showed google bypassing the tunnel to phone home and upload data.

        Grrrr

  5. trindflo Bronze badge
    Facepalm

    " ... the attorney general is defining the sale of data really broadly."

    As opposed to saying it only counts if it appears in shrink-wrap on a department store shelf? The Forrester Research analyst is shocked that the attorney general didn't just buy the Sephora weasel-words that it is just an experience and not theft at all?

  6. MachDiamond Silver badge

    More risk, please.

    I keep saying that any company that collects and stores information on people, customer or not, be at risk for company ending fines and jail time for the executives should the information be improperly handled in a negligent way. This makes it risky for companies to casually store, buy and sell information. Those companies that do will see that they need to be very diligent about security. A relatively small fine and no downside for the executives makes poor security a financial decision. Do they spend more on keeping software up to date and having a top notch IT staff or will the occasional fine be less costly than doing all that?

    There is a condition with Copyright that turns a potentially minimum fine into a much larger one. That's whether the infringement was "willful". The same sort of thing could apply to PII storage, purchase and sales. If a company was shown to be negligent and opted for accepting the occasional fine as just a cost of doing business, the fine could be escalated way off the charts with lots of room in between so it's just the C-Level being fitted for stripy jumpers and the stockholders not losing their investments if they just have passive money invested.

  7. Potemkine! Silver badge

    If lawmakers weren't corrupt, they would make 'opt-in' mandatory before sharing personal information. Most of the privacy problems would be addressed then.

    == Bring us Dabbsy back! ==

    1. MachDiamond Silver badge

      "If lawmakers weren't corrupt, they would make 'opt-in' mandatory before sharing personal information. "

      "Sharing" the information is not the whole story. Just keeping tabs on people is a big problem when those databases wind up unsecured and exposed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like