On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC.

The Attorney General’s decision to levy fines for repeated failures to disclose the sales of consumer data was a fairly predictable result. Before this settlement, however, there was ambiguity as to whether a business had to accept GPC. The statute, in California Civil Code Section 1798.135, provides that a business “shall not be required to comply” with the obligation to display the links “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” a consumer may use to opt-out if the business allows consumers to use an opt-out preference signal. The language suggests accepting GPC is permissive rather than mandatory. However, in July 2021, the Attorney General indicated honoring GPC is mandatory, updating its online FAQ stating that GPC “must be honored by covered businesses as a valid consumer request.” With conflicting language, it was unclear whether responses to GPC were voluntary.

The Attorney General’s settlement with Sephora demonstrates that honoring GPC is mandatory, with Attorney General Bonta concluding that “[t]here are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Compliance with GPC will save companies from exposure to other data privacy laws that have followed the trend of requiring GPC. Connecticut’s new privacy statute, which takes effect July 1, 2023, also mandates GPC, and Colorado’s statute indicates that a consumer may opt out through a “preference or browser setting, browser extension, or global device setting.” It seems likely that other states may continue this trend, given the significant borrowing of language and concepts from existing statutory provisions when drafting new privacy laws.

Companies should work quickly to comply with GPC and other requirements of the CCPA. The California Attorney General makes it certain that failures to correct deficient privacy practices will subject businesses to substantial fines and publicity. GPC provides a FAQ explaining here in the “I’m a publisher, developer, or other service. How can I support GPC?” section and in more detail here.