In two back-to-back announcements, California and the FTC reemphasized their enforcement efforts related to the sale of personal information.

On February 21, 2024, California Attorney General ("AG") Rob Bonta announced that the app-based food delivery service DoorDash had agreed to a $375,000 settlement to resolve claims that the company violated the California Consumer Privacy Act ("CCPA") and California Online Privacy Protection Act ("CalOPPA"). DoorDash allegedly violated the CCPA and CalOPPA by selling consumers' personal information without informing them that it sold their information and by failing to provide the consumer with an opt-out right. This settlement marks the second time California's AG has publicly enforced CCPA protections related to the "sale" of consumers' personal information—signaling that this is a top enforcement priority.

According to the California AG, DoorDash had shared California customers' personal information (such as names, addresses, and transaction histories) to a marketing cooperative in exchange for the ability to market its services to customers of other participating businesses. The California AG used the broad definition of "sale" in the CCPA to argue that DoorDash's conduct violates the CCPA's prohibition on "sales" of personal information because DoorDash traded personal information in exchange for the benefit of being able to advertise to potential new customers.

The very next day, the Federal Trade Commission ("FTC") announced that it will require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing consumer web browsing data. The FTC's administrative complaint alleges that Avast and its subsidiaries collected and sold consumers' browsing information without informing consumers and despite touting the privacy and security features of its products. The complaint further alleges that Avast falsely claimed that it only sold consumers' information in aggregate and anonymous form. In reality, the FTC alleges, Avast sold data with unique and persistent identifiers that provided sufficient details to identify individual users.

These two recent enforcement actions illustrate that regulators are closely scrutinizing transactions involving the sharing and selling of consumers' personal information. Businesses participating in marketing cooperatives or otherwise engaged in other data-sharing relationships should carefully review their practices, update their privacy policies to provide notice to consumers, and provide opt-outs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.