Does the US need to update its data protection laws?

Ilia Kolochenko, Founder of ImmuniWeb, and a Certified Information Privacy Professional speaks out on data protection laws in the US.

Following news that Sephora Inc., one of the world’s largest cosmetics retailers, has settled a lawsuit claiming that the company sold customer information without proper notice in violation of the California’s landmark consumer privacy law, Ilia Kolochenko, Founder of ImmuniWeb has spoken out on the US' data protection regimes. 

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland that develops Machine Learning and AI technologies for SaaS-based application security solutions provided via its proprietary AI platform.

Sephora agreed to pay $1.2 million in penalties to California for allegedly failing to comply with the state’s consumer privacy law. The company failed to disclose to consumers that it was collecting and selling their personal information and failed to process opt-out requests made by individuals through software or a web browser tool, according to Attorney General Rob Bonta

Kolochenko says: "Whilst being good news for consumers, this is an alarming trend for businesses. Contrasted to the EU, in the United States, there is still no nationwide and overarching privacy legislation on the federal level, pushing individual states to legislate on the matter and fill the gap.

"If the trend persists, in a decade, we will have 50 heterogeneous privacy and data protection regimes, making business in the US impossible both for domestic and foreign companies. Although most state privacy laws in the US are comparatively more permissive than GDPR, some states have enacted harsher laws, narrowly focused on specific areas of data protection, for instance, the BIPA in Illinois safeguards the biometric data of residents and is famous for costing $650M to Facebook in settlement for alleged violations.

"Contrariwise, in other states, there is no privacy legislation whatsoever, leaving consumers without any protection. Such polarized and incongruent enforcement from one state to another undermines the predictability and certainty of the legal landscape. That being said, federal legislation that would finally harmonize the American data protection regime is urgently needed.”


California's Consumer Privacy Act 

The California Consumer Privacy Act’s definition of “data sales” includes the sharing of information with third parties regardless of whether money is exchanged. Sephora shared data with others through cookies on its website to personalize the shopping experience and tailor ads, Sephora said in a statement. The agreement “does not constitute an admission of liability or fault by Sephora,” said the company, which is owned by French luxury products company LVMH Moët Hennessy Louis Vuitton SE.

“Sephora’s practices are already in compliance with the CCPA,” a spokeswoman said. “We have been in communication with the OAG since last June, and we have always cooperated fully.”

Share

Featured Articles

Secure 2024: AI’s impact on cybersecurity with Integrity360

With 2023 seeing increased AI in cybersecurity, and rising cyberattacks, Integrity360 leaders consider what the 2024 cyber landscape will look like

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Magazine speaks with Radiflow’s CEO, Ilan Barda, about converging IT and OT and how leaders can better protect businesses from cybersecurity threats

QR ‘Quishing’ scams: Do you know the risks?

QR code scams, or Quishing scams, are rising and pose a threat to both private users and businesses as cyberattacks move towards mobile devices

Zero Trust Segmentation with Illumio’s Raghu Nandakumara

Network Security

Is the password dead? Legacy technology prevents the shift

Network Security

Fake Bard AI malware: Google seeks to uncover cybercriminals

Technology & AI