In its first enforcement action under the online privacy law, California reached a $1.2 million settlement with retailer-brand Sephora last week.
Although the company was found to have violated the California Consumer Privacy Act (CCPA), Sephora’s point of contention came from the loose definition of the term “sale” under the law, where CCPA doesn’t define sale in the traditional sense of the term, the company told Adweek.
The Act defines “sale” broadly as the selling or transferring of a consumer’s personal information by a business to another business—or a third party in exchange for money or “other valuable consideration.”
“The problem with almost all existing privacy regulations—GDPR or CCPA—is how loosely written they are, which doesn’t really help anyone. But, as with this case, we needed to start somewhere in order to progress,” said customer data platform BlueConic’s president Cory Munchbach.
While the settlement does not require Sephora to admit liability or wrongdoing, it is a reminder of the law’s loose definitions, which have created confusion within the digital advertising industry.
Although the California Privacy Rights Act (CPRA)—going into effect…