Sephora Fine Reminds Retail that Data Collection Can Be Tricky

California’s Attorney General’s office announced a settlement with makeup retailer Sephora over a consumer privacy issue.

“California Attorney General Rob Bonta today announced a settlement with Sephora, Inc. (Sephora), resolving allegations that the company violated the California Consumer Privacy Act (CCPA), California’s first-in-the-nation landmark privacy law,” California Attorney General Rob Bonta’s office noted. “After conducting an enforcement sweep of online retailers, the Attorney General alleged that Sephora failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the 30-day period currently allowed by the CCPA.”

Consumer privacy increasingly has become an issue in politics and the retail industry. With no strong national privacy laws, it is currently left to the states to adopt regulations and police companies. That leaves businesses with the difficulty of having to face developing regulation that don’t necessarily work exactly the same way in all locations.

At first glance, the Sephora example has limited application beyond the company itself because the collection of data happened online, after which the company allegedly misused, under California law, what it had received.

But data collection takes place in many ways. In retail, one of the prime ones is location information collected through in-store technology. This can employ various combinations of facial recognition, phone tracking, computer vision, and more. The technology resides not on a company’s website, but in physical locations. Sensors, cameras, computers, and other devices work together to collect data, often to then connect it with other data from third parties to build a more robust set of profiles. These could be combined for aggregate information that generally helps a retailer better understand the process of how customers shop. But it could also be used as personal data.

Owners of retail properties might think about what they’ve enabled, whether allowed a tenant to do or installed for tenants. And then consider exactly what data they collect and how someone ultimately uses it.

Could the property owner or operator be legally at risk? It would depend on the data selected, the use, and to what degree state prosecutors decided to make an example of all involved.