Skip to Main Content.
  • Podcast Logo: "Data Privacy Detective"

    Data Privacy Detective Podcast – Episode 98: “Do not sell my personal information.”

How a California statute works in practice.

In August 2022, California’s Attorney General settled a case with Sephora, a beauty products company. Under the California Consumer Privacy Act (CCPA), California requires companies subject to its laws that they must provide their customers the right to stop the companies from selling their personal information to others. The privacy policy on Sephora’s website did not have such a provision. The case was settled for a $1.2 million civil penalty and an agreement to provide what the CCPA requires.

Sephora promptly changed its website. But how? This podcast discusses how in this CCPA example, the consumer’s ability to exercise a legally protected right was not made clear or easy. The settlement also shows how the word “sell” itself has no settled definition. Sephora argued that it was merely “sharing” rather than “selling” its customers’ personal information to other businesses, but the attorney general disagreed. The California Privacy Rights Act (CPRA) effective in 2023 will address the “sharing” of personal information, a much broader reach than “selling.”

Tune in to Episode 98 to learn how a privacy law moves from theory to practice, what it means for personal privacy rights, and how businesses that rely on data sharing and selling may not make it simple for their customers to exercise rights that a law creates.

If you have ideas for more interviews or stories, please email


Privacy & Data Security Weekly Update

Need more Data Privacy updates?

Privacy and Data Security Weekly Update

Three things that happened recently. Three things you want to know. Three things moving forward. Delivered to your inbox weekly.

Newsletter Sign Up