In this 21st century world of people using phones for multiple reasons other than just talking, there are drawbacks to this simplistic take on everyday living. From texting to paying bills to checking emails, users must be wary of their personal information being readily available in the cloud.

Companies set up safeguards to prevent hackers from invading their sites to maintain trust with customers. But sometimes, the hackers slip through, and companies are forced to retrench to come with more safeguard precautions. 

Today, we're examining two significant privacy-breach matters involving customer data and share some lessons learned for CX practitioners charged by law — and in the interest of transparency to their customers — to protect consumer privacy.

Lawsuit: Oracle Let Its Guard Down

Oracle, a Fortune 500 company that focuses on enterprise services and cloud technology, let its guard down last month, and as a result it’s in the middle of a class action lawsuit with its consumer-base.

As a company, Oracle has built its product to collect, organize and personal data. Chances are the recent breach has affected more than just the top tier of their clients. It services five billion people, which computes to more than half of the world’s population. The lawsuit was filed in the Northern District of California.

According to the Council for Civil Liberties (ICCL), Oracle has taken advantage of unwitting internet users to amass a vast archive of data that includes intimate details. The billions of personal dossiers in the Oracle Consumers Identity Graph contain data points like income, interests, emails, medical care, political views, location history and even detailed online spending and account activity. As an example on how deeply involved Oracle is into people’s lives, the ICCL says that one Oracle database included a record of a German man who used a prepaid debit card to bet $10 on a sporting event.

Related Article: Oracle, Sephora Face Data Privacy Woes, Medallia Acquires Mindful, More CX News

Sephora Becomes First CCPA Settlement

Another company also defending its privacy policy is Sephora, a French multinational retailer of personal care and beauty products featuring nearly 340 brands along with its own private label. Last month, it was involved in a $1.2 million settlement with the state of California for potential California Consumer Privacy Act (CCPA) violations.

It was the Golden State's first enforcement of its CCPA privacy law for allegedly failing to tell consumers it sold personal data collected on its website and did not process requests to opt out of sales through privacy controls set by users.

“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale,” California Attorney General Rob Bonta said in a statement. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

US Federal Privacy Law Coming?

These violations evoke the question for privacy lawmakers in the US: is it finally time the US passes a sweeping federal privacy law? 

Anas Baig, product lead for a digital evangelist and a CMSWire contributor, said that since the General Data Protection Regulation (GDPR) came into effect in the European Union (EU) back in 2018, there have been a slew of data protection regulations that have been passed globally. While the GDPR was not the first such data protection law in the world, it has been the inspiration behind several such regulations that have passed in its aftermath.

He added that in the United States, on the other hand, lawmakers continue to mull over whether a federal data protection law is needed. In the absence of such legislation, individual states have been expected to come up with relevant regulations that afford users in their jurisdiction adequate protection online, while the road to federal data regulation will probably remain long and tumultuous.

Related Article: Making Sense of the Growing Legislation to Protect Customer Data

Why Sephora's Settlement Is Significant

Sephora’s fine is significant for two distinct reasons, according to Baig. "The first is that Sephora isn't a typical digital business," he said. "It is a cosmetics retailer that does only a part of its business online. Secondly, this is the first time since the CCPA came into effect that a business has been dealt such a fine. Ever since it came into effect, there has been visible urgency for businesses to evolve and make any relevant changes in their digital ways of processing data to avoid any violations. The CCPA empowered users with certain consumer rights, most notably over the sale of their personal data collected by businesses in California." 

The CCPA empowered users with certain consumer rights, most notably over the sale of their own personal data collected by businesses in California, Baig added. "The regulation requires all consumers to be informed of any sales related to their data," Baig said. "Additionally, all such data collected on them can be required to be removed, apart from certain exceptions. Likewise, they can opt-out of having their personal data sold at all."

Sephora’s website collects a wide range of personal data — as defined by the CCPA — on its users such as their location, the device used, the operating system, the browser used and other unique identifiers. The company then allowed third parties to gain access to all this data in return for advertising and analytical services via the use of cookies. As per the CCPA’s regulations, even if Sephora had disclosed these practices in its privacy policy, such disclosure of information in exchange for third party services counts as a sale.

Sephora also failed to display a clear “Do Not Sell My Personal Information” message on its homepage in its privacy policy or on other web pages. There was also no opt-out browser signal on the website.

Customer Analytics Is Still a Gray Area

The use of analytics is still a gray area. Data analytical tools are the future of digital marketing and pivotal indicators of its performance with its key customers online with nonetheless a caveat, according to Baig. "However, as the Sephora case has highlighted," Baig added, "the exchange of data with analytics providers such as Google and Facebook may not be as straightforward and simplistic as previously assumed." 

The mechanisms deployed by these analytical and automation tools will now be considered a sale under the CCPA. "Considering how the California Privacy Rights Act (CPRA) will come into effect in 2023 and will extend to the 'sharing' as well as 'selling' of data, the use of the analytical tool may require further deliberation by businesses," Baig said.

While these tools may continue to be deployed online, businesses may need to renegotiate just how much data they’re willing to expose and whether their current arrangements with the providers of analytical tools could pose a similar danger for them going forward, Baig said.

Learning Opportunities

Related Article: Build a Consumer Privacy-Aware Culture Through Training

Customer Data Transparency Is Key

Sephora may rightly point out that it was wholly forthcoming and transparent about its data processing practices and its use of analytical tools in its privacy policy. Sephora's privacy policy informed users that their personal information, including several unique identifiers, would be shared with third parties. 

"However," Baig added, "the exact wording and the extent to which Sephora chose to disclose this information led to the non-compliance issue in the first place. It did not accurately point out that such sharing of data would amount to a sale since Sephora was sharing this data in exchange for free, discounted, or higher quality advertising or analytics services." 

Remember this: a sale does not always have to be of monetary value, Baig said. "As this case has shown, anything of valuable consideration exchanged between two parties in lieu of data can be classified as a sale," he said. "The scope for this will further increase once the CPRA and its 'sharing' aspect come into effect." 

Hence, organizations must undertake strict measures to ensure they are clear and unambiguous about their data processing, sharing, selling, storing and retention policies. They can leverage several tools and strategies to accomplish this. 

Related Article: 6 U.S. States With Pending Data Privacy Legislation

Consumer Data Selling Definition Gets More Broad 

Daniel Barber, CEO of DataGrail, told CMSWire, the California AG is taking a stand and saying it’s no longer OK for companies to freely use people’s data for monetary or similar gain without giving consumers the opportunity to opt-out.

“Since the Sephora news, the main lesson learned is that the term selling is broader than actually exchanging money," Barber said. "It's still considered selling even if you are even exchanging data. Prior to the news cycle, some assumed that money had to exchange hands for it to be considered selling personal data, but now it's clear that if you are sharing data with ad networks, it could be considered selling.”

Data from DataGrail's latest 2022 CCPA Trends Report shows that 63% of all privacy requests in 2021 were people opting out of their data being sold. This will continue to increase in 2022 as consumer awareness spreads.

The cost of privacy is going up and will only get more expensive for businesses. The cost of processing data subject requests (DSRs) doubled year-over-year. It jumped from $192,000 per one-million identities to roughly $400,000 per one-million identities year-over-year, and costs will continue to rise, according to the report.

DSRs Harder to Process When CPRA Goes Into Effect

The new CPRA law clarifies that organizations must give people the option to opt-out not only if their data is sold but also if it is shared with a third party for advertising purposes. For organizations currently required to offer DNS, this already represents 63% of their total requests, according to DataGrail findings. With a greater number of companies required to enable DNS for data-sharing under the CPRA, the number of privacy requests will skyrocket.

Companies Stumble to Identify Third-Party Apps That Contain Personal Data

Most companies don’t even know all the systems — the third-party applications — that contain personal data, let alone where personal data is, according to Barber. "As data privacy continues to evolve, getting a handle on personal data across all systems should be a top priority if companies wish to avoid fines and consumer backlash," Barber added.

As DSRs flow in from every state, businesses must think long-term, Barber said. Many US states have consumer data privacy bills in the works.

"Organizations must be prepared for a patchwork of requirements that differ slightly from state to state," Barber said. "When new laws are enacted, they will require greater resources to handle with expediency and accuracy. Companies can offset such challenges by putting sound practices and solutions in place right now."