The lawsuit accused the cosmetics company of violating California consumer data protection laws by harvesting customer information without providing an option to opt out.
Sephora Inc., among the world’s largest cosmetics companies, has paid an estimated $1.2 million to settle a lawsuit claiming that it violated California consumer laws by selling customer information with proper notice.
According to ABC News, Sephora allegedly failed to tell customers that it was selling their data, did not allow consumers an opt-out, and did not take prompt action to remedy the problem once it was brought to the company’s attention.
On Wednesday, California Attorney General Rob Bonta said that Sephora had agreed to resolve the lawsuit by paying $1.2 million and immediately remedying the privacy concerns.
“Data is power, and these days everyone wants it,” Bonta said in a statement.
“Some of the most intimate details about your life are being harvested,” he said. “The more data a company has on you, the more power they have over you, the more they can target you to buy their goods and services.”
Sephora issued a statement saying that it is already in compliance with California state law.
ABC News notes that California lawmakers passed consumer data protection legislation in 2018, which was further expanded by voters in 2020.
The law affords consumers the right to know what information companies collect about them; it also allows consumers to opt out of data collection, and to ask that businesses delete their existing information.
Bonta’s office said that it sent more than 100 companies notices that they were out of compliance.
While the “vast majority” of the companies complied, Bonta said, Sephora did not.
“Their actions compared to others was egregious,” Bonta said.
Reuters reports that Bonta’s investigation into Sephora arose from a so-called “enforcement sweep” in June 2021, which reviewed whether companies were actively honoring consumer opt-out signals through Global Privacy Control, a tool that lets consumers broadly inform websites of their privacy preferences.
Bonta’s office found that Sephora did not honor consumer choices, and failed to amend the violations within 30 days of the attorney general providing notice.
Additionally, Sephora allowed third-party companies to install “tracking software” that let them build detailed consumer profiles.
However, Bonta’s office observed that Sephora’s website promised that the company does “not sell personal information.”
Sephora, notes The Associated Press, settled the lawsuit without admitting liability or wrongdoing.
The company later issued a statement saying that it “respects consumers’ privacy and strives to be transparent about how their personal information is used to improve the Sephora experience.”
Sephora also said that it permitted tracking tools to be used on its website to “provide consumers with more relevant Sephora product recommendations, personalized shopping experiences, and ads.”
Sephora emphasized that customers can now “opt-out of this personalized shopping experience” with ease.