on the site. The case against Sephora was based on their alleged sale of personal information, as that term is broadly defined in the CCPA. If Sephora sold personal information and failed to provide a “do not sell” link or to honor “do not sell” requests, it violated the law. Analyze how you share personal data of your customers with third parties and if it constitutes a sale under the CCPA. 2. Cookies . Review your cookie policy and document the presence of any third-party cookie, pixel, or SDK on your website or mobile app. 3. Service Provider Agreements . If you use vendors for analytics or ad targeting, make sure you have appropriate agreements restricting use of your data. The data should not be used to benefit the vendor or its other customers. Do these vendors fit the CCPA definition of “service providers”? The California attorney general alleged that sharing data with a vendor in exchange for analytics or ad serving is a “sale” because Sephora “gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits,” including “the valuable option to serve targeted advertisements to the same shopper on the analytics provider’s advertising network.” These practices can however also be characterized as services purchased by the business and not the “selling” of data. The California AG noted that the alleged “sale” of data by Sephora could have been cured by having “valid service- provider contracts in place with each third party”. 4. Become Familiar with the Global Privacy Control . The GPC acts as a global one-stop-shop mechanism to opt-out of data sales. Make sure that you comply with GPC requests as do-not-sell signals. You can configure your cookie management platform to recognize GPC as an opt-out request. Sephora ignored the GPC which was referenced multiple times by the California Attorney General asserting that “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights.” The question remains as to whether browsers can acknowledge the GPC opt out by default or if consumers will have to take an affirmative
120
Made with FlippingBook - Online Brochure Maker