In 2018, California became the first State in the United States to enact a consumer data privacy statute. The statute became effective on June 1, 2020. The California statute has been amended and expanded a couple of times since being passed and is deemed one of the strongest and most protective consumer data privacy statutes. As of mid-2024, another seventeen (17) States have passed their own versions of consumer data privacy statutes using the California version as a model and template.

In all such statutes, enforcement powers are granted to the various Attorneys General Offices. That is, none of the consumer data protection statutes provide a private right to action where consumers can sue businesses directly for violating their consumer data privacy rights. Consumer privacy advocates lament this, of course, but they have been unable to convince lawmakers to allow a private right of action.

Since California was the first State to enact a consumer data privacy statute, it is useful to look at some recent enforcement actions undertaken by the California Attorney General. Based on announcements, the California Attorney General has only settled two large enforcement actions since June 1, 2020. The most recent was a settlement with DoorDash in February 2024. In that action, DoorDash was confirmed to have joined a “marketing cooperative” that exchanged consumer personal data allowing the businesses to advertise to each others’ customers. The exchanged data included information like names and home addresses. The California Attorney General specifically held that this “exchange” of personal data “counted” as a “sale” of personal data. As such, under California’s consumer data protection statutes, DoorDash and the other participants were obligated to provide notices to consumers and obtain various consents for the sharing of their data. DoorDash clearly did not do this. According to the announced settlement, DoorDash will pay a $375,000 civil penalty and be subject to injunctions requiring it to conform explicitly with the requirements of the California consumer data privacy statutes, review and modify contracts with marketing and analytics vendors, use technology to evaluate if it is selling or sharing consumer personal information in violation of the laws and provide annual reports to the California Attorney General.

The other enforcement action that was settled involved Sephora, Inc., an online retailer. This enforcement action was settled in August 2022 In that enforcement action, Sephora was shown to have failed to disclose to consumers that it was selling their personal information, failed to process opt-out requests made via user-enabled “global privacy controls” and failed to cure its violations. Under California data privacy laws, consumers can exercise their opt-out choices through various types of “global privacy controls” like browser and app settings. Sephora did now acknowledge those choices and for that, and other reasons, was held to be violating California’s consumer data privacy statutes. Sephora agreed to pay $1.2 million to settle the action and also agreed to comply with various injunctive mandates.

The California Privacy Protection Agency: Enforcement Expanding

California’s 2020 ballot initiative Proposition 24 — which enacted the California Privacy Rights Act (CPRA) — created the California Privacy Protection Agency (CPPA), a first-of-its-kind standalone privacy enforcement agency in the United States. The CPPA became fully operational in 2023 and has independent authority to issue regulations, conduct investigations, and bring administrative enforcement actions independent of the California Attorney General. This means California now has two enforcement bodies for consumer privacy violations, significantly expanding enforcement capacity.

The CPPA has signaled several priority enforcement areas, including businesses’ compliance with consumer opt-out rights (particularly via Global Privacy Control signals), data minimization requirements, and the processing of sensitive personal information. In March 2024, the CPPA settled its first independent enforcement action against Sephora-related entities for approximately $1.8 million, signaling that the agency will actively pursue cases beyond the Attorney General’s historical enforcement track record.

The DoorDash Case: What Counts as a “Sale” of Personal Data

The DoorDash settlement is instructive on one of the most contested interpretive questions under California privacy law: what constitutes a “sale” of personal data. Under California Civil Code § 1798.140(ad), “sell” means disclosing personal information to a third party “for monetary or other valuable consideration.” In the DoorDash matter, DoorDash exchanged consumer personal data with a marketing cooperative — sharing its customers’ data with other businesses that then used the data to advertise to those consumers, and receiving those businesses’ customer data in return for the same purpose. The California AG concluded that this reciprocal data exchange constituted “other valuable consideration,” making it a sale requiring prior disclosure and opt-out rights.

The DoorDash settlement has significant implications for any business participating in data cooperatives, data clean rooms, or cross-promotional data sharing arrangements. If your business shares consumer personal data with third parties in exchange for any form of value — including receiving their data, marketing credits, or co-promotion rights — you must disclose that practice and provide consumers a means to opt out before the sharing occurs.

The Sephora Settlement: Global Privacy Controls and Opt-Out Obligations

The Sephora settlement in August 2022 remains the most important enforcement precedent on the Global Privacy Control (GPC) issue. The California AG found that Sephora violated the CCPA by failing to process opt-out signals sent by consumers using GPC-enabled browsers. The CCPA and CPRA require that businesses honor consumer opt-out requests made through “user-enabled global privacy controls,” and the GPC — a browser-level signal that communicates a consumer’s opt-out preference to websites automatically — qualifies as such a control.

The practical compliance takeaway: any business subject to California privacy law must configure its website to detect and honor GPC signals as an opt-out of the sale or sharing of personal information. This is not optional. Sephora’s $1.2 million settlement and compliance mandates demonstrate that failure to implement GPC recognition is a prosecutable violation. As of 2024, GPC adoption among consumers is growing rapidly, and the CPPA has stated it will prioritize GPC compliance in future enforcement sweeps.

Lessons for Businesses: Building a California-Compliant Privacy Program

The pattern across both enforcement actions — DoorDash and Sephora — points to a compliance gap common among mid-size and large businesses: technical compliance with the letter of data privacy law while ignoring the spirit and practical mechanics. Building a California-compliant privacy program requires more than drafting a privacy policy. It requires: (1) mapping all data flows, including data shared with marketing partners, analytics vendors, and advertising platforms; (2) classifying those flows as “sales,” “shares,” or “service provider” arrangements under California law; (3) implementing opt-out mechanisms that actually function, including GPC detection; (4) training marketing and operations teams on what triggers privacy law obligations; and (5) conducting annual audits. Revision Legal provides California privacy compliance audits and ongoing counsel for businesses operating in California or collecting data from California residents.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.