To settle the California Attorney General’s first-ever enforcement action over violations of the California Consumer Privacy Act (CCPA), health and beauty company Sephora will pay a $1.2‑million penalty and implement remedial measures to clarify its online disclosure and consumer opt-out practices. The terms of the settlement sound a warning to all companies that do business with California customers. With insights from BakerHostetler, Davis+Gilbert and Frankfurt Kurnit, this article analyzes Sephora’s alleged missteps and the settlement terms, discusses their broader implications and offers lessons from the case for companies subject to CCPA compliance. See “CPRA Draft Regulations: Essential Takeaways and 10 Actions to Take Now” (Jul. 13, 2022).