top of page

Sephora to Pay 1.2 million USD for CCPA Violations

Updated: May 11, 2023

Sephora to Pay 1.2 million USD for CCPA Violations

California has fined Sephora 1.2 million US dollars for allegedly selling customer data without consent. According to reports, the company collected and sold consumer information to advertisers without informing their customers first. The law governing this is the CCPA (California Consumer Privacy Act), passed earlier this year.

Sephora sold customer info without consent.

The fine comes from an investigation by the state attorney general, Rob Bonta, into non-compliance with the California Consumer Privacy Act, which went into effect in 2020.

The company is being accused of selling customer information to advertisers without their knowledge or consent, something that could have been done in violation of the CCPA.

The CCPA requires businesses to inform consumers about who accesses their personal data and how it is used.

Businesses must also obtain explicit permission from customers before selling their personal information to third parties for advertising or otherwise using it for marketing purposes—something Sephora was not doing prior to receiving its massive fine from California.

Sephora Inc., headquartered in New York City with additional locations throughout Europe and Asia, is a subsidiary company of LVMH Moët Hennessy Louis Vuitton SE (LVMH).

More fines are coming

The California attorney general is investigating several online retailers for CCPA non-compliance. The sweeping investigation, announced on Wednesday, is the first of its kind.

"If you are an online retailer and you're collecting personal data from Californians, you need to protect it—and we will hold you accountable," Attorney General Rob Bonta said in a statement.

Millions were said to be put at risk by Sephora's non-compliance.

The California Department of Justice announced that Sephora had been fined $1.2 million for failing to comply with CA's data privacy laws.

The non-compliance means millions of Californians were denied their rights under the law and exposed to potential harm from identity theft or other frauds - all because Sephora refused to tell its customers how third parties were using their personal information.

Consumers need to be able to make informed choices about how their personal information is used and shared online--but only if they have access to accurate information about what happens with this data in the first place!

The CCPA (California Consumer Privacy Act) governs data privacy law

The California Consumer Privacy Act mandates that businesses disclose how they use customer data. In other words, for every information about a consumer that it collects and stores—including name, address, purchase history, and online browsing habits—a business must disclose whether or not it shares that information with third parties.

Sephora didn't do enough to notify customers.

The company has been fined for failing to inform its customers that they were selling the data collected from their online and app purchases.

According to a press release from the California Attorney General's Office, there are several ways Sephora violated this act:

  • They sold consumer data that they obtained through website and app purchases.

  • They failed to honor requests made by consumers who opted out of having their information sold.

  • They traded consumer data for better advertising and targeting opportunities with other companies.

Businesses need to know what the CCPA is and ensure compliance

The first step in compliance with the California Consumer Privacy Act is to use the right tools and approaches.

You also need to train your employees. This can include training them on how to provide their customers with a privacy policy that addresses their needs and is easy to understand.

You need to train your customers on how they can manage their personal information within each account so that they know what information is being collected and shared; where it's stored; who has access (including third parties); and what security measures are in place to protect it from unauthorized access or misuse.

Training should also be provided for vendors who have access to consumer data to provide their services (e.g., cloud providers).


We know that compliance can be a challenge for businesses. But you don't have to do it alone! Contact us today for more information about how we can help your company stay compliant with new privacy laws like the CCPA.

bottom of page