Why does the Sephora data privacy fine matter for large merchants, and what is the Global Privacy Control (GPC)?

In late August, the California Attorney General (AG) announced the first data privacy fine in the United States: Sephora was fined $1.2 million for noncompliance with several key provisions of the California Consumer Privacy Act (CCPA). In a press release, the AG tied the fine closely to Sephora’s lack of compliance with a previously little-known and not particularly well-defined provision of CCPA: the Global Privacy Control (GPC).

What is the Global Privacy Control?

The Global Privacy Control is a browser-based mechanism that enables users to opt out of targeted advertising (or cross-context behavioral advertising, per the CCPA). In lay terms, it allows consumers to opt out of retargeting mechanisms across multiple websites with one flip of a switch in their browser. Jonathan Gardner, Senior Analyst at W. Capra, elaborates, “Global Privacy Control is significant because it allows consumers to broadly opt out of targeted advertising with less friction, placing more control in the hands of the consumer.”

Several browsers support GPC today, including Brave and Firefox. When a consumer enables this feature and a website supports it, cookies and tracking pixels, including those used by Facebook and Google Analytics, no longer apply to that individual while they’re browsing from that particular device and browser. That person would no longer receive ads for a Sephora product they viewed, for example, in a Google Display Network ad on another website.

GPC is significant for consumers, but it’s an opportunity for merchants as well.  Data privacy laws require companies to allow consumers to opt out of targeted advertising across devices, but cookies and tracking pixels are specific to a consumer’s device and browser, which can make it challenging to opt a consumer out of these targeted advertising mechanisms without building a login for consumers to self-identify, which is expressly prohibited by CCPA. Gardner continues, “Global Privacy Control offloads the problem of identifying consumers. Instead of being responsible for identifying the customer and then opting them out of targeted advertising, which can be challenging to implement, companies can simply add support for the Global Privacy Control, putting the onus on consumers to opt in or out of targeted advertising.”

Why does the Sephora decision matter for merchants?

The Sephora decision signals that California is serious about enforcing data privacy legislation. Daniel Kahan, Delivery Lead at W. Capra, explains, “The Sephora ruling was, more broadly, a warning shot for companies. It was the first action taken by an Attorney General to levy a fine against any company for failure to comply with CCPA. Pointedly, the AG took this action against a European company, signaling that they’re willing to enforce data privacy legislation against any company, domestically or globally.”

The AG’s action also indicates a willingness to enforce the entirety of the CCPA and the CPRA, which will soon go into effect. It underscores the need for Legal and Compliance departments to continue to monitor AG websites and consult with a knowledgeable third party like W. Capra for additional guidance on how best to comply with the California regulations and other data privacy regulations that will soon go into effect in additional states, including Colorado, Connecticut, Virginia, and Utah, as well as potential federal regulations on the horizon.


What’s the best way to ensure that I’m compliant with CPRA?

Many large merchants are pursuing third-party data privacy vendors to support their data privacy programs. Gardner indicates, “Several years ago, I would have recommended that you steer clear of a third party and pursue a homegrown solution. With the advent of mature third-party vendors in the space, there are robust data privacy solutions in the market that can support Tier 1 and Tier 2 merchants in their pursuit of privacy compliance.”

This is a particularly good strategy in the case of GPC, given that the guidance around GPC has not been formalized, and no complete technical specification or standard exists. The Global Privacy Control group has created a standard (and made a proposal for adoption by the W3C) that is supported by Brave, Firefox, and DuckDuckGo, but no definitive standard has been endorsed by any state Attorneys General.

Given that the technical specifications remain in flux, pursuing a third-party vendor who will adapt to potential changes will minimize the need to change your data privacy implementation in the future.

Don’t get caught unprepared or unaware

Sephora faced steep fines from the AG in part because they complied with CCPA in name only. Following the ratification of CCPA, Sephora put in place infrastructure to receive data privacy requests, including a webform and a Do Not Sell My Information link displayed prominently on their site, per CCPA regulations. However, they failed to stand up processes behind these façades of compliance to handle data privacy requests, with the absence of the Global Privacy Control representing only one of their failures to comply.

Gardner continues, “Finding a third-party that can support GPC is helpful, but it doesn’t completely solve for data privacy compliance. A broader data privacy program is necessary to maintain compliance and provide consumers with the experience that they’ve come to expect from merchants. W. Capra thrives in helping merchants create a tailored, long-term data privacy strategy aimed at compliance and a positive user experience.” Jonathan Gardner and Daniel Kahan are committed to helping W. Capra clients define a data privacy strategy that maintains compliance with regulations while exceeding consumer expectations of transparency and responsibility with consumer data. You can reach Jonathan and Daniel at [email protected] or [email protected], respectively.