In the second settlement under the California Consumer Privacy Act (CCPA), California Attorney General (AG) Rob Bonta announced a settlement over allegations that DoorDash sold consumers' personal information in a manner that violated the CCPA. The settlement also resolved alleged violations under the California Online Privacy Protection Act (CalOPPA).
The AG investigation concluded that DoorDash sold California customers' personal information without providing notice or an opportunity to opt out, in violation of both the CCPA and CalOPPA. According to the AG, this sale was connected to DoorDash's participation in a marketing cooperative, wherein businesses exchanged customer personal information for advertising opportunities. Specifically, the complaint alleges that DoorDash shared customers' names, addresses, and transaction history with the marketing cooperative and failed to disclose this in its privacy policy.
While DoorDash was notified of alleged noncompliance before the CCPA's right to cure violations had sunset, the AG alleged DoorDash failed to cure because it "did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold" and could not "determine which downstream companies had received its data so that it could contact each company to request that it delete or stop further selling the data."
While the AG suggested that by taking "modest available steps," DoorDash could have mitigated the harm to consumers, for example by instructing the marketing cooperative not to sell the personal information or updating the company's privacy policy. This allegation foreshadows that in at least some situations, a business may be unable to ever cure a violation if the standard applied by the AG is to make a consumer whole.
The AG also brought a second cause of action under California's older privacy law, CalOPPA. While CCPA requires many of the same disclosures as CalOPPA, the AG's allegations under CalOPPA signal that companies should not disregard compliance with all of California's privacy laws. Specifically, the AG alleged DoorDash's privacy policy failed to inform customers that DoorDash disclosed their personal information with marketing co-operatives or that customers may receive unsolicited advertisements from unrelated companies based on information DoorDash provided.
As part of the settlement, DoorDash must pay a $375,000 civil penalty and comply with injunctive terms, including:
- Compliance with CCPA and CalOPPA, including requirements for businesses that sell personal information.
- Review of contracts with service providers and contractors who provide marketing and analytics services.
- Provision of annual reports to the AG that monitor any potential sale or sharing of consumer personal information.
California stands alone with its complex privacy regulatory enforcement scheme relative to other states' privacy laws. Not only that, the California Privacy Protection Agency (CPPA) and the AG both have the power to enforce the law. Additionally, the AG often acts independently when assessing a company's privacy compliance from other state attorneys general who consolidate their efforts. Companies must therefore maintain a primary focus on California when developing a privacy plan.
This latest settlement is also a reminder to companies that CCPA compliance should be regularly reviewed in light of ongoing regulatory and enforcement developments. With the CCPA regulations currently in effect following the reversal of the Superior Court's stay by the Court of Appeals in California Privacy Protection Agency v. Superior Court (Feb. 9, 2024, No. C099130), companies that have delayed compliance with the CCPA regulations should take the opportunity to comply now. [1].
1. We Have Said It Before: Consider the Definition of "Sale" and Review Your Service Provider Contracts. The CCPA's definition of "sale" includes any transfer of personal information to a third party for monetary or valuable consideration. In the DoorDash complaint, the California AG alleged that DoorDash's participation in two marketing co-operatives, which combined, analyzed, and used information to target advertisements to send by mail to new customers, was a sale of personal information under the CCPA.
Implementation Tip: Remember the confusion regarding what may constitute "valuable consideration" under the definition of "sale"? The DoorDash complaint provides some insight. As a result of the allegations against DoorDash, businesses would be wise to review their current data practices for any exchange of personal information with a third party that results in a benefit to the company, even if the benefit is not monetary. Thus, in undertaking a review of service provider contracts, businesses should consider whether they could defensibly categorize the third party as a service provider — a well-recognized exception to a "sale" — or leverage any other exemption. Where businesses have determined that a third party meets the definition of a "service provider," businesses must take steps to update the vendor contract to align with the CCPA's requirements.
This tip is especially important for businesses that use innovative technology, or those whose business models depend on the right to use client data for artificial intelligence (AI) or other independent purposes beyond the contract. This issue often arises in ad tech, analytics, location services, and the use of other innovative technology.
2. Implement Procedures and/or Technology to Honor Global Privacy Controls. Global privacy control signals are plug-ins that allow the user to automatically broadcast their cookie preferences to every website they visit. As seen in the Sephora settlement, cookies and other tracking technologies are considered a sale of personal information.
Implementation Tip: Businesses should educate themselves on the different platforms, technologies, and mechanisms being developed to send opt-out preference signals. Businesses should also review the CCPA regulations to understand how to process opt-out signals in a frictionless or nonfrictionless manner.
3. Notice, Notice, Notice. The settlement against DoorDash, alleging both CCPA and CalOPPA violations, is a reminder that the AG is looking to see what disclosures businesses are making to consumers around their data privacy practices.
Implementation Tip: Notices should be written so they can be understood by the average consumer, and business practices — especially sales of personal information — should be reviewed to ensure they are accurately reflected in the privacy notices.
4. Map Everything. Data mapping is not only important for understanding what types of personal information are collected, but also where the information goes. To ensure that businesses can properly effectuate a consumer's rights, the business must track where that personal information is being disclosed, shared, or sold.
Implementation Tip: Review any service provider or third-party contracts to ensure the required compliance and oversight language are included. This will allow a business to identify further downstream flows of personal information.
5. CCPA Regulations Are in Effect Now. For companies that were delaying compliance with the CCPA regulations in light of the Superior Court's stay, the recent Court of Appeals case has eliminated this breathing room. Consider reviewing business practices immediately for compliance with the regulations, including those regarding disclosures and service provider contracts.
Implementation Tip: The Court of Appeal's decision means that any future rulemaking will not be subject to a one-year delay in enforcement. Stay ahead of potential compliance implementation steps by keeping up with any draft regulations.
[1] On February 20, the California Chamber of Commerce filed a petition to the California Supreme Court to review the appellate court's decision.