00;00;06;28 - 00;00;34;22
Speaker 1
This is the data privacy detective steroids that we're going to talk about perfume and try to see. I'm sort of kidding. What we're going to take is one of the great brands of the world, Sephora. My daughters have shopped there to buy holiday gifts. They're wonderful. Retail chain, very worldwide, brand well-known. And data privacy and some trouble it got into with the state of California.

00;00;34;29 - 00;00;53;17
Speaker 1
And we're going to use that to talk about what's really happening with us and our privacy. When we post something on our website, we want to buy something from a brand, go on there and we join as community here. We buy a product and we sign up and we start giving our information and just guess what happens to it.

00;00;53;17 - 00;01;05;20
Speaker 1
As we're going to talk about today and with us again, as has been true a number of times, this is my good friend and colleague, Hugo Nagashima. Hugo, thank you for joining us today. Talk about perfume and privacy.

00;01;05;21 - 00;01;07;14
Speaker 2
Thank you. It's great to be here.

00;01;07;15 - 00;01;29;00
Speaker 1
A year ago, you're an attorney in the Washington, D.C., office of Prosper. And Todd, a large U.S. law firm on the tech and date of service to tell us about what the attorney general of California recently did with Sephora and the settlement that got entered into in August of 2022.

00;01;29;06 - 00;01;53;00
Speaker 2
Sure. Again, in August, there was a but what even before I guess there was a complaint filed against a supporter for a certain CCP as the California Consumer Privacy Act violations. And in the complaint, there was three main focus, main issues. One is support. There was an allegation of support, did not notify customers that Sephora sold customer personal.

00;01;53;00 - 00;02;01;00
Speaker 1
Information on the first claim is they weren't telling their users what they were doing with their data. That was the claim. Okay. What was the second?

00;02;01;02 - 00;02;11;07
Speaker 2
The second one is because of that, that under the California law, they should have had something called the do not sell my personal information link, but sephora's website did not have it.

00;02;11;18 - 00;02;19;25
Speaker 1
And that was not in the privacy policy they used to have. And now we'll talk about this, but it ought to be there because it's so. That's correct. What was in.

00;02;20;20 - 00;02;28;10
Speaker 2
That support did not honor a consumer opt out through this technology called Global Privacy Control.

00;02;28;28 - 00;02;35;20
Speaker 1
Or G.P.S. And we're going to talk about that a bit. But look into what happened there was a settlement so far. I have to pay any money.

00;02;35;28 - 00;02;47;21
Speaker 2
They did. It was hefty. It was, I believe, $1.2 million. And Sephora also had to enter into a compliance program. Okay.

00;02;47;21 - 00;03;06;04
Speaker 1
Well, let's start with it. You know, I went to this opera website and we're we're recording this in late September, about a month after the settlement. And I looked for a button called Do Not Sell my personal information and I could not find one. And you help me through this, but you have to go to the very bottom and you'll see something.

00;03;06;04 - 00;03;25;05
Speaker 1
You'll see the privacy policy down at the bottom. That's pretty common on websites. I think people know maybe where to find it. This was at the very bottom. And then there is a thing says, do not tell my personal information. See a standing for California. Then I clicked on that. I still couldn't find a button. Instead it talks about cookies.

00;03;25;11 - 00;03;45;10
Speaker 1
Then it seems to say, allow the sale of my information. It doesn't say Do not sell. I still couldn't find that. And then you go there and there's one of these green turned on default switches, which we've kind of gotten used to, and you have to turn that to the left. That's how you tell so far. You don't you don't want to to sell their personal information.

00;03;45;10 - 00;03;49;13
Speaker 1
So it's there, but that's how it's there. Did I get that right?

00;03;49;16 - 00;04;17;27
Speaker 2
That's right. The link says, do not sell my information, but after that it is. Yeah. Even for me, it was first difficult to figure out what exactly I had to do in order to tell Sephora that I did not want my information being sold. So for us response or how they want you to tell them is that basically turning off the analytics cookie that that's their response, that's how they how.

00;04;18;09 - 00;04;36;06
Speaker 1
They say and if they do that they say they will not sell information. But what does sell me and this is quite interesting because it tells us about what what the debate was about so far as I understand it. So we're not really selling information. We're we're sharing it with people who do things for us. And what's wrong with that?

00;04;36;06 - 00;04;40;21
Speaker 1
It helps us and our customers. But what's the point of this one?

00;04;40;28 - 00;05;04;13
Speaker 2
The point of this is, well, the settlement was very helpful because it gave us a idea of what the California regulators are thinking about the word sale. We knew before the settlement that sale meant more than just, you know, a financial transaction where, you know, you paid money for certain service. So if you give certain data, you get some kind of money.

00;05;04;21 - 00;05;10;00
Speaker 2
We know it was broader than that. You know, it involves certain benefits that that were not monetary.

00;05;10;00 - 00;05;34;01
Speaker 1
But as I understand it, supporter, like many, many companies, has an arrangement with Google Analytics. Right. And in part, that's to help, you know, place ads and do other things. The benefits are for, you know, they want. So for ads to appear, if if a person is shopping for perfume, for example, then that benefits support. But that isn't an obvious sale, is it?

00;05;34;01 - 00;05;47;29
Speaker 1
But the AG was saying that's a sale because sephora's providing information to Google Analytics to make some money and they get a discount or whatever, is that sort of how the sale has a very broad meaning according to California?

00;05;48;04 - 00;05;59;18
Speaker 2
I think that's right. Just give a little bit more color. So there's two parts, which is, one, you get the information. So there's more targeted ads. That's a benefit that support gets. So pages like.

00;05;59;19 - 00;06;02;29
Speaker 1
Any brand wants that it's a way for them to market. Right. Understood.

00;06;03;03 - 00;06;21;23
Speaker 2
And and the other aspect you mentioned is, you know, there may have been a discount for providing the data, although I believe, you know, Google Analytics charges the certain amount. But if for some reason, if the price is at $100, you know, I'm just taking. But if you provide a certain amount of data, it goes down to $50.

00;06;22;04 - 00;06;27;03
Speaker 2
In California, you said, well, that's a sale because you're getting that benefit from giving a lot of data.

00;06;27;03 - 00;06;53;09
Speaker 1
So in our data is valuable. And the the idea and by the way, California, of course, is one what more than one at the one we're dealing with, I think, is the California consumer privacy Act and this so-called CCP. A and and now we have you know, you've got a number of CS and now you've got children and all different but but anyway under the the consumer part of what California law and regulation has been this is about consumers.

00;06;53;09 - 00;07;13;24
Speaker 1
And obviously that's what you're talking about when somebody is buying a brand or going on a website. Okay. And so this has to do also, it's intertwined with whether somebody who's, you know, wants to buy a perfume goes to some foreign. Here it is. And they can join a community and they can post it. Well, I'm allergic to this.

00;07;13;24 - 00;07;27;05
Speaker 1
And, you know, I just got out of the hospital and I had this problem and they may not have known that ad information that is going to Google. Right. And that was part of the California attorney general's issue is support.

00;07;27;05 - 00;07;39;23
Speaker 2
That's right. The notice wasn't there. Sephora didn't tell its users that if they put something in there and you purchase less or Wishlist or even like you mentioned, community, it might go to Google and that was one of the issues.

00;07;40;06 - 00;08;02;23
Speaker 1
Now if an individual wants to provide their data knowing that, it's hard to say that there's something wrong there because we'd like to think as individuals we own our data, whereas in fact there's a little different view of that. If you're a business and you're trying to grow your okay, well, let's talk a bit about the G.P.S. you mentioned very few people know about.

00;08;02;26 - 00;08;11;18
Speaker 1
So we're going to let them in on a secret. All your listeners, you're going to learn something here. Global privacy controls. Now, who wrote this? The United Nations.

00;08;11;28 - 00;08;43;08
Speaker 2
The DBC is more of a industry standard that, you know, companies would use a certain website that would recognize the signals that would be sent from a certain web browser. If you set your privacy setting to say, you know, gbk is on, you know, I don't want my information. You know, I don't want analytics running on it. And the California Consumer Privacy Act has a section that the regulations would determine, you know, what kind of rules that you would have for the G.P.S. and the regulations state that you have to honor it.

00;08;43;12 - 00;09;05;20
Speaker 1
So this no government wrote this. This is an industry group and nothing wrong with it, but it's industry saying here's how we're going to compete with each other and these ought to be standards. You shouldn't cheat and do bad things, and we all should be able to compete somewhat fairly with technology. And so this is a way to respect privacy oriented consumers.

00;09;05;20 - 00;09;23;14
Speaker 1
That is the essence of it. Okay. And now it's part of actually California law adopting an industry, creating standard for that purpose, having to do with technology that ought to be where on everybody's website, from small businesses to large or what does it mean, you know.

00;09;23;23 - 00;10;05;19
Speaker 2
So to the extent that CCP applies, it is part of the regulation. So you would have to honor a Google Privacy Control typically must be honored. It's however, it's been very difficult because a lot of the Web browsers we use today, you know, we can't set it up to have A, B, C and it's it's more of the minority web, web browsers, you know, Firefox that that's where they'll be major or DuckDuckGo dos privacy oriented browser it's really do embrace G.P.S. but you really don't see that much on the Microsoft Edge side or a Chrome at least that's how I'm seeing it.

00;10;05;19 - 00;10;11;09
Speaker 2
I haven't seen a control button and you know, maybe audiences can work pointed out to us but I haven't.

00;10;11;09 - 00;10;33;03
Speaker 1
Seen maybe Google and Microsoft thinking about this and getting into an argument with the California attorney general. We'll see. But it's really quite interesting. So this is a way that industry itself is trying to be somewhat privacy centric. And so at least there's fair competition among at least major brands. A very interesting turn of events. What are the key takeaways here?

00;10;33;03 - 00;10;58;21
Speaker 1
It seems seems one of them is anybody subject to CCP? And that's a lot of companies and more states are getting into the action and maybe someday we'll have a federal privacy law. And who knows? Wouldn't it be right that just for reputational value, if nothing else, if you have a Web site, you really should tell your the people who visit and use your service or buy something from you.

00;10;59;08 - 00;11;03;19
Speaker 1
How you're going to use their personal information is not a big takeaway from this.

00;11;03;19 - 00;11;17;06
Speaker 2
That is a big takeaway. And companies should revisit how they have their privacy policies written now that we have this case, because how sale was understood before and how we should understand it now is a bit different.

00;11;17;29 - 00;11;28;06
Speaker 1
Very broad scale. And next year, as I understand it, a different California law will really go beyond sale to sharing of personal data.

00;11;28;11 - 00;11;38;26
Speaker 2
Right? So CPR is its sale or sharing. So it's going to get broader. So companies should be on a lookout to revise and rethink about their privacy policies.

00;11;38;27 - 00;12;02;28
Speaker 1
That's probably any business that wants any business, small or large, that it wants to really be viewed as privacy centric and serious about. It shouldn't get hung up on the sale definition. But think about it. If we're going to let somebody have access to personal information of our customers or community, we better tell them that we're doing that and give them a chance to say yes or no.

00;12;02;28 - 00;12;10;20
Speaker 1
Right, right. And then the G.P.S., very interesting. And really, it's going to be some work, isn't it, for computer tech people?

00;12;11;00 - 00;12;22;20
Speaker 2
It is. And we're already seeing it with certain privacy vendors. The implementation of G.P.S. is going to be a challenge for a lot of the company I.T. departments. But it will it will need to happen.

00;12;22;27 - 00;12;44;00
Speaker 1
And for individuals, you really have to decide, don't you? Even if you're shopping, you don't think of yourself as sharing your data when you shop. You're just trying to buy something. But if you're out there shopping on the web the way probably all of us do these days, you are sharing some personal information. And I know it's like, read your credit card or how you pay for this thing.

00;12;44;00 - 00;13;05;11
Speaker 1
I'm talking about saying, you know, my I have acne and I need I need Al Gore, you know, I'm allergic to something and suddenly it's even health information that's getting shared. And if you don't want that shared broadly, you better take action. And it isn't going to be that simple. It's not like you say, don't you can't see our website and you click here, do not sell my information.

00;13;05;15 - 00;13;22;22
Speaker 1
Nobody is going to do that. So you're going to have to work a little bit if you're an individual who wants to safeguard your privacy and yet have access to all the great things available in the world. Any other advice you give to individuals in light of what we learn from the support case?

00;13;22;22 - 00;13;46;03
Speaker 2
You Right. So this really brings light to the, you know, the G.P.S. aspect, which is people don't go out to click on do not sell my personal information. Maybe some people do, but most don't because they don't see themselves that way as a provider of personal information. So one way is to have a more secure, privacy oriented web browser.

00;13;46;08 - 00;13;59;26
Speaker 2
Those are out there that have G.P.S. signals and those would have to be honored as we signed a settlement. So that might be a solution for individuals who are more privacy oriented, and that might be the solution.

00;13;59;26 - 00;14;22;00
Speaker 1
Right. And of course, we've been talking largely about U.S. consumers, California consumers, but the GDPR, maybe the whole idea of privacy by design, where the default setting is, I really want to share my information. Then I've got to go do something about it. Maybe. Maybe we'll evolve there. Maybe we won't. We know there'll be a big push back from industry.

00;14;22;03 - 00;14;48;21
Speaker 1
We'll see what happens. Well, you go. Thank you for walking us through this very interesting case with real informative value for all of us. And I will close our session, as I always do, by reminding us protecting your personal information begins with you.