Sephora settles case for misuse of customer data

This week, cosmetics brand Sephora agreed to pay $1.2 million in penalties for allegedly violating the California Consumer Privacy Act, a law that bans businesses from sharing or selling customer data for targeted advertising without the consumer’s knowledge. Sephora also allegedly failed to follow the wishes of consumers who opted out of their data being sold. 

One of the key issues at the heart of the California AG’s decision to pursue the charges against Sephora is the Global Privacy Control. This mechanism allows consumers to set their browsers to broadcast to every website they visit that they do not want their data to be collected and sold to third parties. It’s a mechanism that makes opting out much easier for consumers than the alternative – setting preferences for each and every website individually which can be a time-consuming and often confusing process. The California AG alleged that Sephora failed to honor requests from these Global Privacy Control settings. 

These types of opt-out mechanisms make it easier for consumers to surf the web without worrying about their data. The best policy decision makers should pursue, however, is one of data minimization – making it illegal for companies to collect or use any data that isn’t needed for delivering the service a consumer is expecting to get. This strong rule would mean people wouldn’t need to rely on a mechanism like the Global Privacy Control to take back control of their data.