In a recent alert, we reported that California Attorney General (AG) Rob Bonta announced a settlement with DoorDash over allegations that the company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) by selling consumers’ personal information without providing notice or an opportunity to opt out.
The AG’s investigation found that DoorDash’s sale of personal information was linked to its participation in a marketing cooperative, where businesses exchanged customer personal information for advertising opportunities. The AG alleged that DoorDash failed to disclose this in its privacy policy.
Despite being notified of alleged noncompliance before the CCPA’s right to cure violations had sunset, the AG alleged that DoorDash failed to cure because it could not restore affected consumers to the same position they would have been in if their data had never been sold and could not determine which downstream companies had received its data. The AG also brought a second cause of action under CalOPPA, signaling that companies should not disregard compliance with all of California’s privacy laws.
As part of the settlement, DoorDash must pay a $375,000 civil penalty and comply with injunctive terms, including compliance with CCPA and CalOPPA, review of contracts with service providers and contractors who provide marketing and analytics services, and provision of annual reports to the AG that monitor any potential sale or sharing of consumer personal information. This settlement serves as a reminder to companies that CCPA compliance should be regularly reviewed in light of ongoing regulatory and enforcement developments.