Lessons Learned from Sephora CCPA Settlement


What are the lessons learned from the Sephora $1.2 million consumer data privacy settlement for potential CCPA violations?

In this 21st century world of people using phones for multiple reasons other than just talking, there are drawbacks to this simplistic take on everyday living. From texting to paying bills to checking emails, users must be wary of their personal information being readily available in the cloud.

Companies set up safeguards to prevent hackers from invading their sites to maintain trust with customers. But sometimes, the hackers slip through, and companies are forced to retrench to come with more safeguard precautions. 

Today, we’re examining two significant privacy-breach matters involving customer data and share some lessons learned for CX practitioners charged by law — and in the interest of transparency to their customers — to protect consumer privacy.

Lawsuit: Oracle Let Its Guard Down

Oracle, a Fortune 500 company that focuses on enterprise services and cloud technology, let its guard down last month, and as a result it’s in the middle of a class action lawsuit with its consumer-base.

As a company, Oracle has built its product to collect, organize and personal data. Chances are the recent breach has affected more than just the top tier of their clients. It services five billion people, which computes to more than half of the world’s population. The lawsuit was filed in the Northern District of California.

According to the Council for Civil Liberties (ICCL), Oracle has taken advantage of unwitting internet users to amass a vast archive of data that includes intimate details. The billions of personal dossiers in the Oracle Consumers Identity Graph contain data points like income, interests, emails, medical care, political views, location history and even detailed online spending and account activity. As an example on how deeply involved Oracle is into people’s lives, the ICCL says that one Oracle database included a record of a German man who used a prepaid debit card to bet $10 on a sporting event.

Related Article: Oracle, Sephora Face Data Privacy Woes, Medallia Acquires Mindful, More CX News

Sephora Becomes First CCPA Settlement

Another company also defending its privacy policy is Sephora, a French multinational retailer of personal care and beauty products featuring nearly 340 brands along with its own private label. Last month, it was involved in a $1.2 million settlement with the state of California for potential California Consumer Privacy Act (CCPA) violations.

It was the Golden State’s first enforcement of its CCPA privacy law for allegedly failing to tell consumers it sold personal data collected on its website and did not process requests to opt out of sales through privacy controls set by users.

“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer’s data and ignore requests to opt-out of its sale,” California Attorney General Rob Bonta said in a statement. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

US Federal Privacy Law Coming?

These violations evoke the question for privacy lawmakers in the US: is it finally time the US passes a sweeping federal privacy law? 

Anas Baig, product lead for SECURITI.ai a digital evangelist and a CMSWire contributor, said that since the General Data Protection Regulation (GDPR) came into effect in the European Union (EU) back in 2018, there have been a slew of data protection regulations that have been passed globally. While the GDPR was not the first such data protection law in the world, it has been the inspiration behind several such regulations that have passed in its aftermath.

He added that in the United States, on the other hand, lawmakers continue to mull over whether a federal data protection law is needed. In the absence of such legislation, individual states have been expected to come up with relevant regulations that afford users in their jurisdiction adequate protection online, while the road to federal data regulation will probably remain long and tumultuous.

Related Article: Making Sense of the Growing Legislation to Protect Customer Data

Why Sephora’s Settlement Is Significant

Sephora’s fine is significant for two distinct reasons, according to Baig. “The first is that Sephora isn’t a typical digital business,” he said. “It is a cosmetics retailer that does only a part of its business online. Secondly, this is the first time since the CCPA came into effect that a business has been dealt such a fine. Ever since it came into effect, there has been visible urgency for businesses to evolve and make any relevant changes in their digital ways of processing data to avoid any violations. The CCPA empowered users with certain consumer rights, most notably over the sale of their personal data collected by businesses in California.” 

The CCPA empowered users with certain consumer rights, most notably over the sale of their own personal data collected by businesses in California, Baig added. “The regulation requires all consumers to be informed of any sales related to their data,” Baig said. “Additionally, all such data collected on them can be required to be removed, apart from certain exceptions. Likewise, they can opt-out of having their personal data sold at all.”

Sephora’s website collects a wide range of personal data — as defined by the CCPA — on its users such as their location, the device used, the operating system, the browser used and other unique identifiers. The company then allowed third parties to gain access to all this data in return for advertising and analytical services via the use of cookies. As per the CCPA’s regulations, even if Sephora had disclosed these practices in its privacy policy, such disclosure of information in exchange for third party services counts as a sale.

Sephora also failed to display a clear “Do Not Sell My Personal Information” message on its homepage in its privacy policy or on other web pages. There was also no opt-out browser signal on the website.

Customer Analytics Is Still a Gray Area

The use of analytics is still a gray area. Data analytical tools are the future of digital marketing and pivotal indicators of its performance with its key customers online with nonetheless a caveat, according to Baig. “However, as the Sephora case has highlighted,” Baig added, “the exchange of data with analytics providers such as Google and Facebook may not be as straightforward and simplistic as previously assumed.” 

The mechanisms deployed by these analytical and automation tools will now be considered a sale under the CCPA. “Considering how the California Privacy Rights Act (CPRA) will come into effect in 2023 and will extend to the ‘sharing’ as well as ‘selling’ of data, the use of the analytical tool may require further deliberation by businesses,” Baig said.

While these tools may continue to be deployed online, businesses may need to renegotiate just how much data they’re willing to expose and whether their current arrangements with the providers of analytical tools could pose a similar danger for them going forward, Baig said.



Source link

We will be happy to hear your thoughts

Leave a reply

Logo
Reset Password
Shopping cart