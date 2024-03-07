On February 21, 2024, California Attorney General Rob Bonta announced a $375,000 settlement with DoorDash, the second-ever public enforcement action under the California Consumer Privacy Act (CCPA). This follows the AG's $1.2 million settlement with Sephora, detailed in our previous discussion here. The DoorDash settlement addresses consumer privacy violations arising from DoorDash's participation in a marketing co-operative, which the AG alleged constituted a sale of consumers' personal information without providing notice or an opportunity to opt out under the CCPA and the California Online Privacy Protection Act (CalOPPA). This action is just the latest step in California's aggressive push to uphold its comprehensive data privacy laws—and it illustrates the importance of a vigilant and proactive approach to privacy.

DoorDash's Alleged Violations and Settlement

The action against DoorDash stems from allegations that the company failed to adequately inform its users about their right to opt out of the sale of their personal information, specifically related to DoorDash's participation in two marketing co-ops, starting in 2018, in which participating businesses contributed customers' personal information in exchange for the ability to advertise their products to other co-op participants' customers. In January 2020, DoorDash transmitted personal information of its California customers, including names, addresses, and transaction histories, to the marketing co-op. The information was then sold downstream to other companies. At least one DoorDash customer subsequently received marketing materials by mail from third party businesses because of this disclosure.

The complaint alleged that the disclosure of personal information to the marketing co-op was a "sale" under the CCPA. It also asserted that DoorDash failed to inform customers that it was disclosing personally identifying information about them to third parties and did not identify the categories of third parties to which it was disclosing such information, in violation of both CCPA and CalOPPA.

The settlement requires DoorDash to pay $375,000 in penalties, comply with the CCPA and CalOPPA regarding privacy disclosures and consumer privacy opt-out rights, and implement and maintain a privacy compliance program for three years. Specifically, the compliance program requires DoorDash to:

Assess and monitor if it is selling or sharing personal information, including for marketing services or "to providers of analytics or measurement services";

Evaluate whether it is effectively providing consumers with required privacy disclosures, in its privacy policy and notice at collection, and providing the right to opt-out;

Document its compliance program in writing, including specific policies and procedures and technical and operational controls for: Reviewing contracts with service providers and contractors to ensure compliance with CCPA requirements; Documenting technical and operational controls implemented for service provider and contractor risk assessment and diligence under the CCPA; Maintaining an inventory of marketing co-ops in which the business participates and any contracts with those co-ops; Explaining—with respect to the sale or sharing of personal information with providers of marketing services or analytics or measurement services—where in its privacy policies and notices at collection it discusses any sale or sharing of personal information and the methods for consumers to opt-out of such sale or sharing; and

Annually certify compliance for three years.

Comparison with Sephora Settlement

There are notable differences from the previous CCPA enforcement action against Sephora:

Penalty Amount: DoorDash's settlement involved a $375,000 penalty, significantly lower than the $1.2 million fine imposed on Sephora. This difference likely reflects the nature and scope of the alleged violations, including that DoorDash stopped participating in marketing co-ops in 2020.

Compliance Period: DoorDash is required to implement and maintain a compliance program and certify its compliance for a period of three years. Sephora's compliance program was only in effect for two years. This extended compliance period signals an increase in oversight and ongoing engagement with the AG's Office and emphasizes the importance of maintaining adherence to CCPA requirements.

Key Takeaways for Businesses

Transparency and Communication: Ensure clear communication with consumers about data collection practices and their rights under CCPA, including selling or sharing of personal information to third parties, the categories of such third parties, and the right to opt-out of the sale or sharing of personal information, including regular review of privacy practices to ensure accurate and transparent disclosures in the business' privacy policy and notice at collection. Understand When a Disclosure is a "Sale": The DoorDash settlement underscores the sweeping definition of "sale" under CCPA—including, specifically, the disclosure of information to providers of marketing services or analytics and measurement services. The Sephora action signaled the AG was interpreting the definition broadly; this action against DoorDash confirms it. Manage Service Provider Privacy Risk: Businesses should evaluate their service provider and contractor relationships—particularly with marketing, analytics, and measurement providers—to identify and mitigate any privacy risks. This includes ensuring appropriate contractual terms are in place to limit the use or disclosure of personal information. Proactive Compliance and Monitoring: Establish and maintain a comprehensive privacy and data governance program for CCPA compliance. This includes regular reviews of data sharing agreements and marketing practices responsive to regulatory changes and enforcement trends. Engage with Regulators: The DoorDash and Sephora settlements highlight the importance of engaging in good faith with regulators and enforcement entities. Demonstrating a commitment to privacy and engaging responsively can impact the outcome of enforcement actions and penalties.

The DoorDash settlement provides a reminder and a warning to businesses: of the importance of ongoing compliance with evolving privacy laws like CCPA and older privacy laws like CalOPPA. As privacy regulations evolve, businesses must stay vigilant, ensuring their privacy practices continue to meet existing requirements while adapting to incorporate new and expanding obligations.

