Cosmetics retailer Sephora agreed to a $1.2 million settlement with the state of California on Wednesday for selling customer data without permission.

Sephora broke the law by selling personal data that was collected on its website, according to California Attorney General Rob Bonta.

"The kid gloves are coming off. There are no more excuses. Follow the law. Do right by consumers," Bonta said in a news conference.

The California Consumer Privacy Act was signed in 2018 and went into effect in 2020.

The act states that it "gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law."

A complaint from Bonta's office claimed that Sephora let third parties track information like locations and items in shopping carts in exchange for targeted advertisements and analytics services.

As part of the agreement, Sephora does not admit liability to breaking the law. Sephora said in a statement that it's "important to note that Sephora uses data strictly for Sephora experiences."

"I hope today's settlement sends a strong message to businesses that are still failing to comply with California's consumer privacy law. My office is watching, and we will hold you accountable," Bonta said in a statement Wednesday.