California DOJ treats data transfers for website analytics as a sale under first CCPA | Shook, Hardy & Bacon LLP

Do you use Google Analytics? Are you telling consumers that you are doing not sell personal information? If you answered yes to both of these questions, this alert is for you! The California Attorney General recently took the position that using third-party analytics is a sale, unless you have a service provider agreement in place. This alert explores the position of the GA and provides practical advice on what to do next.


In June 2021, the California Attorney General notified Sephora that it may violate various provisions of the CCPA. Sephora has chosen not to “cure” (i.e. fix) these issues during the 30-day grace period. (Handy tip: The right to heal ends on January 1, 2023.) In September 2021, the parties reached a toll agreement. Then, on August 23, 2022, the AG sued Sephora alleging CCPA violations in the government’s first CCPA lawsuit. In the complaintthe GA focused on two issues: (1) Global Privacy Controls (GPC) and (2) Sales.

The AG alleged that Sephora was not responding to the GPCs. Simple enough; the GA Many times declared (and tweeted) that companies must respect these signals. But things turned sour when the AG turned to sales. The AG pointed out that Sephora uses trackers (cookies, pixels, etc.) to send personal information to third parties, including data analytics companies and advertising networks. The AG alleged that these transfers constituted a sale because Sephora provided the personal information in exchange for free/discounted services without having entered into a service provider agreement. Notably, the AG did not limit this analysis to advertising disclosures alone: ​​“The trading of personal information for analytical purposes and the trading of personal information for advertising purposes constituted sales under the CCPA.” This point bears repeating: The AG asserted that the use of third-party website analytics alone constitutes a sale (unless there is a service provider agreement). The AG also noted that, despite selling personal information, Sephora stated in its privacy policy that it does not sell personal information and did not include a “Do Not Sell My Personal Information” link. on its website.

The parts colonized the next day, August 24. Sephora agreed to pay a $1.2 million fine and adopt specific compliance measures. Sephora must disclose sales and honor opt-out requests, including those through GPCs. And, for the next two years, Sephora has agreed to (1) maintain a program to monitor its compliance with takedown requests and (2) review its data transfers to ensure they are legal (for example, do they need and have a service contract). Sephora must also provide regular updates to the government on these efforts.

On the same day the GA announced the settlement, it also released an updated list of application examples. Each reflects a situation in which the AG notified the company of a violation and the company resolved the issue within 30 days. In the examples, the AG focused on a series of offenses across a wide range of industries.

Key points to remember

  • The CGAs must be respected. California has made it clear that companies must honor GPCs.
  • Website analytics are (probably) sales. You are selling personal information if you transfer personal information to analytics providers, unless you have a service provider agreement with the provider.
  • No business is immune. The GA does not limit enforcement activity to specific industries or types of violation – any violation can trigger enforcement action.

Action steps

With the revised CCPA coming into effect on January 1, 2023, now is the time for a 360-degree review of your CCPA compliance measures. But if you’re looking for a more targeted approach, there are a few specific steps to consider given the AG’s claims against Sephora:

  • Honor the GPCs. Check that your website meets the GPCs. (The California Privacy Protection Agency, which will enforce the CCPA starting January 1, 2023, has also taken the position that companies must comply with GPCs.)
  • Execute service provider contracts. Find and accept your analytics provider’s service provider agreement to avoid the data transfer being considered a sale. (If it’s a sale, analytics can become less accurate because consumers can choose not to be tracked.) Google provides instructions on how to perform their contract. If your provider does not offer such a contract, consider:
    • Disable data transfers (safe). Consider not using the analytics provider if they don’t offer a service provider contract.
    • Updated privacy policy (more secure). Instead of disabling analytics, update your policy to acknowledge the sale and ensure you have an unsubscribe link on your website.
    • Changing scan settings (more risky). Update your preferences to ensure that the analytics provider cannot use the personal information collected for its own purposes. The MA may view this favorably because it captures a key element (limited use) of the service provider relationship, but since the definition of “service provider” under the CCPA requires a contract, not having one in place poses compliance risks.
  • Monitor other states. Keep an eye on how regulators in other states interpret their sales restriction. (The states most likely to follow California’s approach to analysis are Colorado and Connecticut, as they share California’s definition of sale: an exchange of money or consideration of value [and the California AG focused on the latter prong for his conclusion].)

Charles J. Kaplan