Lessons Learned from California on Global Privacy Control

August 2, 2023

Global Privacy Control

The patchwork of privacy legislation at the state level is challenging, at best, and right now enforcement of CCPA in California is providing many lessons learned for both other states following in California’s footsteps and businesses trying to remain compliant with new, and old, privacy laws. Last year’s landmark Sephora settlement with the California Office of the Attorney General, for example, has led businesses to pay much closer attention to a technology called Global Privacy Control, or GPC, first introduced in 2020. The settlement reminded businesses, in a big way, that they must respect consumer choices.

In this episode, the hosts of Priv are joined by Jeewon Serrato of BakerHostetler, who represented Sephora in this landmark settlement, to break down GPC and outline the lessons learned for businesses.


Related Resources

California Privacy Enforcement: Whose Job Is It Anyway?

Privacy Initiatives Newsletter

CPRA Compliance Services



Show Notes

In this episode of Privacy Abbreviated, hosts Dona Fraser, the SVP of Privacy Initiatives for BBB National Programs, and Jason Cronk, the President of the Institute of Operational Privacy Design, are joined by Jeewon Serrato, a partner at BakerHostetler. The three experts discuss how small- and medium-sized businesses can harness the power of Global Privacy Control (GPC) to comply with privacy regulations and protect their users. GPC is a tool that allows users to opt out of online data tracking and is required under the California Consumer Protection Act (CCPA).

02:00 - Dona explains how a particular settlement between Sephora and California’s Attorney General in August 2022 forced businesses to pay more attention to GPC. California’s Attorney General Rob Bonta alleged that Sephora failed to disclose to consumers that it was selling their personal information, failed to process user requests to opt out of the sale of their personal information using user-enabled GPC, and did not remedy these violations within the 30-day period as required by the CCPA.

Attorney General Bonta states, “Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they use their customer’s data and ignore requests to opt-out of its sale.”

In the online world, consumers are persistently monitored and tracked. The settlement reached with Sephora highlights the rights granted to consumers under the CCPA, empowering them to combat commercial surveillance.

14:32 - Dona then points out that CCPA won’t apply to all businesses. Businesses that must adhere to CCPA are for-profit businesses that do business in California and meet any of the following: have gross annual revenue of over $25 million; buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or derive 50% or more of their annual revenue from selling California residents’ personal information.

Because many medium and small businesses won’t meet those prerequisites, they won’t be required to comply. However, Jeewon points out that compliance is almost impossible after collecting data. She suggests that businesses abide by the guidelines early on so that if and when they grow past the threshold, they’re already in compliance. She says it’s a much easier process to do upfront than retroactively.

20:11 - Jeewon reiterates that complying with privacy laws is not a simple task. It’s complex, and it requires expertise. She recommends finding outside vendors or counsel that have experience with GPC and CCPA regulations. By engaging professionals with a practical understanding of these specific regulations, organizations can navigate the complexities more effectively and ensure adherence to privacy laws.

According to Jeewon, ensuring compliance “is a matter of finding the right tools, technology, and partners who can shed light.”

Before closing the episode, Jason and Dona ask Jeewon a few questions about herself and her experiences in the privacy sector. In answering those questions, Jeewon continues to press the importance of creative problem-solving within the complex world of data privacy and the need for partnership and teamwork while tackling complicated situations. No one can solve privacy problems alone.

Signing off, Dona encourages listeners to listen to previous episodes of Privacy Abbreviated to learn more about the current privacy landscape. To do so, you can visit BBB NP’s Accountability Studios website or subscribe to Privacy Abbreviated on Apple Podcast, Google Podcast, Spotify, or where you access your favorite podcast!

Latest Podcasts


Breaking Down AdTech: Cookies and Pixels and SDKs, Oh My!

This episode of Priv breaks down the most talked about issues in the adtech space, including the impact of the death of the cookie, the focus of regulators on the newest kid on the block - the pixel, lessons learned from recent SDK legal cases, what all of this looks like for children and teens, and what the legislative and regulatory road ahead looks like.

Listen to the Podcast

Ad Watchers: The best subject in advertising law: Is it puffery?

For this episode of Ad Watchers, join us for Eric’s favorite ad law topic: puffery, an exaggerated, blustering, or boastful statement or general claim that could only be understood to be an expression of opinion, not a statement of fact. But where is the line between puffery and a claim that needs a reasonable basis?

Listen to the Podcast

Cross Border Privacy Rules Goes Global: A Deep Dive on CBPRs

Privacy professionals are faced with what seems like a never-ending, sometimes overwhelming stream of new privacy laws and regulations, both here in the U.S. and abroad. In this episode of Priv, host Dona Fraser is joined by Victoria Akosile, Deputy Director of BBB National Programs Privacy Initiatives to take you from APEC to global CBPRs, explaining all of the acronyms in...

Listen to the Podcast

The Evolution of Advertising in the Children’s Space

In 1974 the Children’s Advertising Review Unit (CARU) was established to protect children under age 13 from deceptive or inappropriate advertising. Over the years, CARU expanded to address new media platforms, new advertising techniques, and to ensure that children’s data is collected and handled responsibly online. Join us to discuss how advertising has changed, identify CARU’s...

Listen to the Podcast