California AG Announces Settlement with DoorDash for CCPA and CalOPPA Violations | Practical Law

California AG Announces Settlement with DoorDash for CCPA and CalOPPA Violations | Practical Law

The California attorney general has settled an investigation arising from allegations that DoorDash, Inc. violated the California Consumer Protection Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) by participating in a marketing cooperative where it sold consumers' personal information without providing notice or opportunity to opt out of the sale.

California AG Announces Settlement with DoorDash for CCPA and CalOPPA Violations

Practical Law Legal Update w-042-4154 (Approx. 5 pages)

California AG Announces Settlement with DoorDash for CCPA and CalOPPA Violations

by Practical Law Data Privacy & Cybersecurity
Published on 22 Feb 2024California, USA (National/Federal)
The California attorney general has settled an investigation arising from allegations that DoorDash, Inc. violated the California Consumer Protection Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) by participating in a marketing cooperative where it sold consumers' personal information without providing notice or opportunity to opt out of the sale.
On February 21, 2024, California attorney general Rob Bonta issued a press release announcing a proposed settlement with DoorDash, Inc. over allegations that the company shared consumers' personal information with a marketing cooperative (co-op) without providing notice or opportunity to opt out of the sale. DoorDash operates a website and mobile app through which consumers order food delivery.
The complaint alleges that:
  • DoorDash participated in two marketing co-ops where unrelated businesses contribute their customers' personal information to advertise their own products to the other member businesses' customers. The marketing co-op combines, analyzes, and uses the information to advertise to potential new customers on behalf of participating businesses. By sharing its customers' personal information with the marketing co-op, DoorDash sold California consumers' personal information.
  • By failing to notify consumers of DoorDash's personal information sales, third-party disclosures, and their opt-out rights, DoorDash violated:
    • the California Consumer Protection Act's (CCPA) sales and opt-out right notice requirements; and
    • the California Online Privacy Protection Act's (CalOPPA) requirement to disclose the third parties with whom it shares personal information in its posted privacy policy.
  • In September 2020, after a consumer complained to the California AG's office, the California AG sent DoorDash a notice of CCPA noncompliance. At the time, the CCPA included a provision allowing businesses to cure violations within 30 days, which DoorDash failed to do. Specifically, DoorDash did not:
    • contact downstream companies to request they delete or stop further selling the data, at least in part because it was unable to identify those companies and did not have contractual rights with the marketing co-op to audit their identities; or
    • update its privacy policy to notify consumers that it had sold their personal information during the last 12 months.
The proposed settlement requires DoorDash to pay a $375,000 civil penalty and comply with injunctive terms. Specifically, DoorDash must:
  • Comply with the CCPA and CCPA regulations, including disclosing to consumers any personal information sales or sharing activities in its privacy policy and notice at collection, including:
    • identifying the categories of personal information it has collected and either sold or shared in the last 12 months; and
    • explaining that consumers have the right to opt out of the sale or sharing of their personal information.
  • Comply with CalOPPA's privacy policy disclosure requirements.
  • Implement and maintain a written compliance program that assesses and monitors whether it is selling or sharing consumers' personal information and if so, evaluate whether it is effectively providing consumers the required notices in its privacy policy and notice at collection.
  • Evaluate all contracts with service providers and contractors who provide marketing, analytics, or measurements services to ensure CCPA compliance.
  • Provide an annual report monitoring any potential sale or sharing of consumers' personal information to the California AG.
The press release also stated that the California AG has sent letters to businesses with popular streaming apps and devices alleging that they fail to comply with the CCPA, with a focus on opt-out requirements. Businesses that sell or share consumers' personal information should confirm that their practices meet the CCPA's requirements, including:
  • Clearly disclosing that they sell personal information in their privacy policies and notices at collection.
  • Providing easy-to-use mechanisms for consumers to opt out of the sale or sharing of personal information.
For more information on CCPA requirements and compliance, see Practice Note, Understanding the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).