Summary: Coming on the heels of Sephora’s violation and fine by the CCPA, Morgan Stanley’s failure to protect customers’ PII and subsequent fine by the SEC (US $35 Million) is a revelation of sorts. This fine raises pressing questions for businesses on the far-reaching implications of a data breach, as this is the second fine on Morgan Stanley for the same issue. Read this blog to understand what Morgan Stanley did wrong and how it could have avoided it. The blog will also help businesses, and customers understand the importance of data security, data erasure, and choosing the right partner to dispose of end-of-life IT assets.
August 24 came as a rude awakening call for beauty giant Sephora, making it the first instance of a fine being imposed since California’s data privacy law CCPA was enacted in July 2020. California’s Attorney General Rob Bonta’s tough stance against data privacy violations was reinforced in his online news conference where he claimed, “The kid gloves are coming off.” It comes on the heels of a yearlong sweep into online retailers by the office of the AG.
How Sephora violated CCPA?
CCPA provides residents of California with more control over their personal data. In our articles before we have already cited how CCPA gives customers the right to know what data is collected, sold, or disclosed and to whom. The customers are also given the “right to opt-out,” meaning denying the sale of their data, getting their data deleted from the business’s database, and not being discriminated against for exercising their rights. Furthermore, CCPA also requires that if a customer has “user enabled privacy controls,” it should be treated the same as when customers click on the “do not sell” link. Sephora violated the basic tenants of CCPA by failing to disclose to customers that their data was being sold. It also violated customers’ requests to opt-out of the sale of their personal information and ignored the same when conveyed using global privacy control supporting browsers and extensions.
Understanding Sephora Violations and What it Means for Businesses:
The AG’s office filed the official complaint in the Superior Court of California for the county of San Francisco under civil code 1798.100 and the unfair competition law section 17200. The complaint highlighted the following violations:
Global Privacy Control (GPC)
Sephora’s website traffic analysis revealed that despite the signal of “do not sell” communicated from the GPC browser and extensions, it had no effect. The data continued flowing to third-party vendors and data analytics providers.
Data Sale
Sephora was selling the personal data of customers to a third party; therefore, it was required to followthe guidelines of CCPA:
- Sephora did not disclose the categories of data they sold in the previous 12 months to the customers whose data was sold.
- They did not have a “Do Not Sell My Personal Information” link on their website and mobile app, nor did they have any means for customers to opt out.
- They sold the customer data despite customers exercising their right to opt out, including customers using GPC.
Cure Period
Once these violations came to light, Sephora was given 30 days to cure the issues or face legal liabilities. Here, Sephora failed to remedy them and remained defiant.
CCPA has been a trailblazer for data privacy and protection laws in the US. However, since its enforcement, it has been a wait-and-watch game to see how it measures against the stringent GDPR, which has imposed fines worth billions of euros for data privacy violations. Sephora’s fine has opened the floodgates and set the pace for future settlements. As a result, businesses that fall under the purview of CCPA need to take a hard look at their company policies to save themselves from the same fate. The AG Rob Bonta has clarified his intentions: “My office is watching, and we will hold you accountable.”
Tips to Safeguard against CCPA Violations
Companies must take concrete steps to safeguard themselves against CCPA violations. These tips can be helpful for them:
- Customer Rights: Respecting and honoring customers’ rights is the first step toward ensuring compliance. The rights of opting out, not selling data, the right to deletion, and more are mentioned in CCPA, providing clear guidelines for protecting these rights.
- Transparency: Data collection and its intended purpose must be transparently communicated to the customer. The data must be used only for the intended purpose, and if the purpose is being modified, explicit permission must be taken from the customer.
- Data Monetization Process: Companies must be cautious while devising the process for selling or sharing customer data. Explicit permissions are necessary from the customers before their data can be sold or shared with a third party.
- Contract Modification: Businesses must ensure that their contracts with any entity where they share or sell customer data are updated to include the data privacy provisions of CCPA.
- Privacy Policies: Websites must be updated to have the latest privacy and cookie policies aligned with the data privacy guidelines of CCPA.
- Data Privacy Mechanisms: Business websites must have a “Do Not Sell My Personal Information” link or an easy-to-access and visible option for customers who don’t want their information sold. Also, websites must ensure that they honor the request they receive via GPC browsers or extensions.
- Data Destruction Policy: The data of customers and its protection lies with the company; a robust data destruction policy must be devised to ensure that once a data deletion request is received, the data is erased from the systems permanently. Also, an erasure certificate helps satisfy the “burden of proof” required for audit, compliance, and customer satisfaction. A secure data erasure software helps meet CCPA compliance.
Conclusion: Time to Adopt a Data Privacy Policy
The initial days of CCPA were characterized by a callous and unconcerned stance by most businesses as they remained indifferent to the repercussions; this fine on Sephora has come as a jolt for many. The indications for a severe penalty are clear and may prove detrimental to the future of how businesses view customer data. Time to adopt and implement a data privacy policy as part of data lifecycle management is an urgent need. Businesses must start viewing customer rights with the highest regard they deserve.
