The Weekly Breach Breakdown Podcast by ITRC- Don't Get Caught With Your Hand In The Cookie Jar-S3E25

Show Transcript

Don’t Get Caught with Your Hand in the Cookie Jar

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for September 16, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, we talk about the first enforcement action taken under California’s Consumer Privacy Act, also known as the CCPA. California’s strict privacy law has been around since 2018. However, the State Attorney General (AG) has just reached an agreement with the retailer Sephora to pay a $1.2 million fine following a CCPA violation. While we’re talking about a California law, this decision could have a wide-ranging impact beyond the Golden State and the retail sector.

What is the CCPA?

The CCPA gives consumers a series of privacy rights and imposes related obligations on certain businesses if they have customers in California. Chief among the obligations, companies subject to the law must inform consumers if they collect, store, use or sell that information and allow them to opt-out. Hence the reason for today’s episode title – “Don’t get caught with your hand in the cookie jar.”

CCPA Violation Issued to Sephora

Sephora was partnering with companies that could see the type of device a customer was using to access the company’s website, shopping cart items and precise location data. However, Sephora’s website claimed the company did not sell personal information.

Also, according to the State, Sephora failed to configure the company’s website to allow visitors to opt-out of having their personal information sold even when they selected the option to do so. The company was also sharing data that could allow a third party to make conclusions about a person’s health, including pregnancy.

What This Means for Businesses Using Web Analytics in Digital Marketing

Here are three questions to help you determine if you need to review your marketing practices to avoid a CCPA violation.

1. Are you subject to the CCPA? If you are, ensure you understand your obligations to inform consumers and give them the opportunity to opt-out of data sales (and the other rights they are given under the Act.)
2. Are you sending or receiving data from a CCPA-compliant vendor? California considers common web analytics tools like Facebook pixel, for example, to be selling personal data to Facebook unless Facebook is your web analytics vendor. Businesses that share personal data but don’t want to be classified as selling that information should consider adding specific contract provisions that limit the use of shared data. 
3. Are your vendors’ tools privacy friendly? Consider using a vendor that offers services designed to be privacy compliant. Facebook and Google, for example, offer “limited” or “restricted” data and tools that are considered to be CCPA-friendly. 

If you have questions about the CCPA and how it might apply to you so you can avoid becoming the next Sephora, be sure to check with your legal counsel.

Contact the ITRC

If you think you have been the victim of an identity crime, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Next week, be sure to listen to our sister podcast, the Fraudian Slip, when we discuss our 2022 Consumer Impact Report, which looks at how people are affected by identity crimes. Also, in October, we’ll publish our report on how small businesses are impacted by identity crimes and cyberattacks.

We will return in two weeks with another episode of the Weekly Breach Breakdown.