CCPA Enforcement: What the Sephora Case Means for Your Website
You may have seen the headline: California’s Attorney General reached a $1.2 million settlement with Sephora for violating the CCPA and CPRA. This was the first major CCPA enforcement action, and Sephora was the example.
What the CCPA and CPRA Actually Require
The California Consumer Privacy Act (CCPA) gives state residents the right to know what personal data companies collect, how it’s used, and who it’s shared with. It also gives them the right to delete that data—and opt out of its sale entirely.
The California Privacy Rights Act (CPRA), which went into effect in 2023, makes these rights even stronger. It eliminates the 30-day “cure period” that once gave companies a chance to fix violations before being penalized. Now, enforcement can happen immediately.
Sephora’s CCPA Violation: A Clear Warning for Enterprises
Sephora failed to disclose that it was “selling” user data via common marketing pixels and analytics tags. It also failed to honor Global Privacy Control (GPC) signals—browser settings that function as universal opt-outs. California considered these clear violations of the law.
Here’s what matters most for legal and privacy teams:
- California considers third-party pixels a form of data sale.
- If you use them, you must disclose that and offer users a way to opt out.
- You must respect signals like GPC as valid opt-out requests.
- You no longer get 30 days to fix it before facing penalties.
As AG Rob Bonta put it:
“My office is watching, and we will hold you accountable.”
This CCPA enforcement against Sephora shows how even standard web tracking practices can become legal liabilities.
How to Stay Off the Enforcement Radar
You need more than policies. You need proof. The only way to defend against CCPA violations is to have real-time evidence that your site is honoring user consent.
That means:
- Auditing every tag across every page.
- Validating that consent preferences are respected at the moment of data collection.
- Monitoring for any unauthorized data flows to third parties.
- Enforcing “Do Not Sell” preferences, including GPC signals.
Manual audits don’t catch violations fast enough. They get outdated within days. That’s why Sentinel Insights exists.
How Sentinel Helps You Avoid a Sephora-Style CCPA Fine
Sentinel monitors 100% of your website traffic in real time. Our platform cross-checks every user’s consent preferences against what your site actually collects and shares. When something’s wrong, you get an alert, before the regulators do.
We help you:
- Confirm that your privacy requirements are deployed and working sitewide
- Detect any unauthorized PII sent to third parties
- Validate that GPC signals are honored across all tags
- Ensure your privacy policy and CMP are live on every page
With one tag and one day of implementation, you can move from blind spots to full visibility.
If Sephora had that, it might have saved $1.2 million… and a major hit to its reputation.
Get ahead of the next enforcement wave.
Schedule a demo
