People v. Sephora — the $1.2M CCPA settlement that defined "sale" as ad-tech sharing

Why a beauty-retailer case ended up on a HIPAA blog

Three reasons.

First, the legal theory is portable. The California AG argued that sharing data with ad platforms — Meta, Google, TikTok, etc. — counts as a "sale" under the California Consumer Privacy Act, even when no money changes hands. CCPA defines "sale" broadly to cover exchanges of value, and the AG took the position that ad-targeting data is valuable consideration.

That theory applies to any company subject to CCPA, including healthcare practices that meet the law's thresholds. Most California-serving healthcare practices do meet the thresholds.

Second, the technical fact pattern is identical. Sephora used tracking pixels for ads. So do most hospital websites. The disclosure mechanics are the same.

Third, Sephora's settlement is what made California's Global Privacy Control (GPC) signal mandatory in practice. That's a regulation healthcare websites have to comply with too, and most don't.

What Sephora did

The California AG’s complaint described three problems.

Sephora used tracking pixels and other ad-tech tools that shared customer data with advertising platforms. Customer data included browsing behavior, items viewed, items purchased, IP addresses, and device fingerprints.

Sephora's privacy policy didn't disclose the data sharing as a "sale" of personal information. The company's stated position was that no sale occurred because no money changed hands.

Sephora didn't honor Global Privacy Control signals. GPC is a browser setting that automatically tells websites a user wants to opt out of sale of their data. Most major browsers and privacy-focused extensions support it. Sephora ignored it.

What the settlement requires

The financial component is $1.2 million in civil penalties.

The injunctive relief is more important than the money. Sephora agreed to:

Disclose in its privacy policy that it sells personal information
Provide an easily-accessible "Do Not Sell My Personal Information" link
Honor Global Privacy Control signals as valid opt-out requests
Implement processes to verify it's actually honoring those opt-outs
Submit reports to the AG for two years

Why the GPC requirement matters most

Before Sephora, most websites either didn't acknowledge GPC or claimed it was optional. The CCPA regulations had said GPC must be honored, but until the Sephora enforcement, that requirement was theoretical.

After Sephora, every California AG enforcement action has included a GPC component. The DoorDash $375K settlement (February 2024) cited GPC failures specifically. The Tilting Point $500K settlement (October 2024) did the same.

For healthcare websites, this matters because most cookie banners and consent management platforms (CMPs) don't honor GPC by default. The default behavior is to wait for the visitor to click "accept" or "reject" — which doesn't satisfy CCPA if the visitor's GPC signal already said "opt out."

What healthcare practices should do about it

Three things.

First, check whether your website is subject to CCPA. The thresholds are: California residents in your customer base, plus either $25M+ annual revenue, 100,000+ California residents whose data you collect, or 50%+ of revenue from selling/sharing California residents' data. Most multi-state practices and any large hospital qualify.

Second, if you're subject to CCPA and you have advertising trackers, you almost certainly have the same exposure Sephora had. Update your privacy policy, add a "Do Not Sell or Share My Personal Information" link, and configure your CMP to honor GPC signals.

Third, understand that this stacks on top of HIPAA exposure. A pixel on a healthcare website creates HIPAA risk and CCPA risk independently. The remediation is similar (remove the pixel or wrap it in proper consent), but the legal regimes are separate and a violation of one doesn't insulate against the other.

State-by-state expansion

CCPA is the most-enforced state privacy law, but it's not the only one. Washington's My Health My Data Act (effective March 2024), Nevada's SB 370, and Connecticut's DPA all have similar consumer-health-data provisions. Washington's law has a private right of action, which means individual consumers can sue without waiting for the AG.

Primary sources and citations

People v. Sephora USA, Inc., California Office of the Attorney General Settlement, Aug 24, 2022. California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq. CCPA Regulations, 11 C.C.R. §7000 et seq.

This article is general information, not legal advice. Talk to a healthcare attorney about your specific situation.

People v. Sephora — the $1.2M CCPA settlement that defined "sale" as ad-tech sharing

Why a beauty-retailer case ended up on a HIPAA blog

What Sephora did

What the settlement requires

Why the GPC requirement matters most

What healthcare practices should do about it

State-by-state expansion

Related articles in the Knowledge Center.

What counts as PHI on your website

Meta Pixel and HIPAA, in plain English

AHA v. Becerra — the case that narrowed the OCR Tracking Technologies Bulletin

Find what an underwriter or plaintiff firm would find. In 60 seconds.