ARTICLE
19 April 2024

DoorDash Fined $375,000 By California AG In Second-Ever Publicly Disclosed CCPA Settlement

AP
Arnold & Porter

Contributor

Arnold & Porter is a firm of more than 1,000 lawyers, providing sophisticated litigation and transactional capabilities, renowned regulatory experience and market-leading multidisciplinary practices in the life sciences and financial services industries. Our global reach, experience and deep knowledge allow us to work across geographic, cultural, technological and ideological borders.
The California OAG recently reached a settlement with the online food delivery company DoorDash, Inc. of claims that DoorDash violated both the California Consumer Privacy Act and the California Online Privacy Protection Act.
United States Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

The California Office of the Attorney General (OAG) recently reached a settlement with the online food delivery company DoorDash, Inc. (DoorDash) of claims that DoorDash violated both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). This is the second publicly disclosed settlement by the OAG of CCPA violation claims, following the OAG's 2022 settlement with makeup retailer Sephora.

In a February complaint in San Francisco County Superior Court, the OAG alleged that DoorDash sold California consumers' personal information — including names, addresses, and transaction histories — through its participation in two marketing co-ops beginning in 2018. While selling personal information is not itself a violation of the CCPA, businesses that engage in such sales must notify consumers about them and provide a clear and conspicuous opportunity for consumers to opt out of such sales. The OAG alleged that DoorDash did neither.

According to the complaint, the marketing co-ops in which DoorDash participated pooled consumer personal information from members in exchange for the opportunity to advertise to the other co-op members' customers. The OAG alleged that this exchange constituted "a sale of personal information under the CCPA," highlighting that sales can be for "monetary or other valuable consideration." The recipients of the information that DoorDash shared also allegedly spread far beyond the intended January 2020 marketing co-op. A range of external parties were alleged to have purchased access to the data, and in at least one case, resold that information multiple times. This had a waterfall effect, with DoorDash allegedly unable to track or stop the flow of its customers' data.

The complaint notes that the OAG alerted DoorDash to the potential issues in September 2020, expecting that DoorDash would take steps to cure its alleged violations. However, "[e]ven though DoorDash had already stopped selling the personal information of California customers ... and had instructed that all of its California customer data be deleted," the OAG found that "DoorDash did not cure its January 2020 sale" to the marketing co-op "because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold." The OAG faulted DoorDash not only for losing track of the data, but also for entering into contracts with the marketing co-op that neither allowed DoorDash to audit the sale of the data to third parties nor restricted the marketing co-op owner from making such sales. Furthermore, DoorDash allegedly did not directly request that the co-op owner refrain from making those sales. And even further, DoorDash allegedly did not update its privacy policy to reflect that it had sold consumers' information within the prior year, thereby violating CalOPPA.

The settlement with DoorDash imposes a $375,000 penalty and requires the company to implement a CCPA and CalOPPA compliance program. Under the compliance program, DoorDash will have to assess and report to the OAG on its practices of selling or sharing personal information, its contracts with third parties that handle consumers' personal information, and whether the company is providing proper notice and opt-out information to consumers under the relevant statutes. The compliance program would last for three years and require annual certification.

This action, like the OAG's prior action against Sephora, highlights the risk that disclosures of consumers' personal information will be deemed "sales" in violation of the CCPA. Companies collecting California residents' personal information cannot assume that "sales" under the CCPA are limited to circumstances where there is an explicit exchange of remuneration for personal data. The claims against DoorDash also underscore that businesses must provide consumers with prior notice and an opportunity to opt out of any personal information transfer that would qualify as a "sale," and must provide such notice and opportunity in compliance with both the notice requirements of the CCPA and CalOPPA and the CCPA's mandates for specific consumer opt-out mechanisms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More