The California Supreme Court recently settled with beauty retail giant, Sephora, in a landmark consumer privacy law case. The state Attorney General alleged that Sephora “failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt-out of sales via user-enabled global privacy controls in violation of the CCPA (California Consumer Privacy Act), and that it did not cure these violations within the 30-day period currently allowed by the CCPA. Given the increasing scrutiny and enforcement of privacy laws, it's crucial for businesses, especially those based in California, to ensure they are compliant. One way to do this is by setting up a California LLC, which can provide the necessary legal protections and structure for your business.”

The settlement requires Sephora to pay $1.2 million in penalties. As the impact of this decision sets in, what lessons can retailers and brands learn about data compliance?

Your Company Can’t Ignore Privacy Laws

Online retailers have benefited from lax enforcement of privacy laws in the past. But they should expect stricter enforcement of the rules moving forward. As web browsers enable support of the Global Privacy Control (GPC) signal (whether by default or with an extension), it will empower online shoppers to specify their privacy preferences. California Attorney General Rob Bonta noted, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale.”

If this recent case is any indication, companies that don’t focus on compliance will face stiff monetary penalties, along with significant damage to their brand. 

But what if your company isn’t based in California? Do you even need to worry about this precedent? Well, according to the National Conference of State Legislatures, five states — California, Colorado, Connecticut, Utah, and Virginia — already have comprehensive consumer data privacy laws in place. And at least 15 states are currently considering consumer privacy legislation.

With greater enforcement of privacy laws, what do brands need to do to remain compliant?

Maintaining Data Privacy Law Compliance

In addition to the CCPA, companies are now looking to maintain compliance with the EU’s data privacy directive, the GDPR (General Data Protection Regulation), as many companies based in the US fall within the GDPR’s reach. In fact, states that already have data privacy laws on the books borrowed heavily from the GDPR’s framework.

What steps do retailers and brands need to take to stay compliant with data privacy laws and avoid fines and penalties?

  • Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data
  • Provide mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control
  • Conform its service provider agreements to the CCPA’s (and GDPR’s) requirements

If your website was not designed with these regulations in mind (most were not), then now is the time to make the necessary changes to your website. Here’s where to start:

  • Evaluate your website to ensure all content and links are up to date with CCPA and GDPR guidelines
  • Contact your ESP and third-party data platforms to make them aware of any concerns you may have about violations
  • Re-evaluate providers if they are unable or unclear on how they keep data safe under regulations

In addition to these steps, being a Listrak client helps brands maintain data privacy compliance. Listrak Information Security has protocols in place to document breach notification to clients as well as full GDPR and CCPA support in cases of customer requests for data or for erasure. Opt-out is handled automatically with in-message links and feedback loops with all major ISP platforms.

Data Privacy Laws Are Here to Stay

This California v. Sephora decision is a wake-up call for retailers that have been putting off CCPA and GDPR compliance. It shows that states and regulatory bodies are serious about enforcing the laws and penalizing violators. Listrak can help you stay compliant, secure your data, and maintain the hard-won trust of your customers.

Is your current Digital Marketing vendor(s) keeping you compliant and your data safe? If you have concerns, reach out to Listrak to learn about a partnership. Also, ask how Listrak’s GXP is collecting zero- and first-party data for retailers like you.  

Download the 2022 Email Trends and Observations Report

Thank you! Your submission has been received!
Download the Listrak 2022 Retail Email Benchmark Report
Oops! Something went wrong while submitting the form.

You Might Also Like

posted on
March 13, 2024

Q1 To-Do: Prioritize Retention

Retention efforts are an essential marketing strategy all year, but Q1 is the perfect time to prioritize it as a focus. Get tips to reconnect with your best customers, newly subscribed contacts, and recent purchasers.
posted on
March 13, 2024

Spring Cleaning

Spring cleaning comes in many forms! For digital marketers it’s time to review the basics of your cross-channel marketing strategies - lists, SMS compliance, and account settings - to ensure maximum performance and efficiency.
posted on
March 1, 2024

Learn More About Your SMS Subscribers Through Data Acquisition Campaigns

Truly understanding your SMS subscribers can pay off in spades across your digital marketing strategies, and it helps build customer lifetime value. Learn all about the zero-party data collection best practice Data Acquisition Campaign

Trusted by 1000+ Retailers and Brands

Ready to grow your business?
Let’s talk.