Privacy & Information Security Law Blog

On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company  DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.

The AG’s complaint alleged that the Company violated the CCPA’s requirements regarding the “sale” of personal information. In particular, the AG alleged that the Company disclosed California consumers’ personal information to a marketing co-op, which combined Company data with data from other sources to target ads to consumers on behalf of not only the Company but also other marketing co-op participants. The AG alleged that such disclosure constituted a “sale” of personal information and that the Company violated the CCPA by not providing the required notice and opt-out opportunity.

The AG’s complaint alleged that, in September 2020, the AG notified the Company that it was in violation of the CCPA’s requirements with respect to the “sale” of personal information in connection with its disclosure of personal information to the marketing co-op, and that the Company failed to cure the alleged violations within 30 days. In particular, the AG alleged that the Company “did not cure because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold,” even where the Company “had already stopped selling the personal information of California customers to marketing co-ops and had instructed that all of its California customer data be deleted.” The AG took issue with the fact that the Company did not take specific actions to cure the violation, alleging that the Company:

• Could not determine which downstream companies had received the customer data so that it could contact each company to request that it delete or stop further selling the data;
• Did not have contractual provisions with the marketing co-op to audit to whom the co-op sold customer data, or to sufficiently restrict the marketing co-op to only use Company data in furtherance of the marketing co-op;
• Did not instruct the marketing co-op to not sell the personal information of affected customers; and
• Did not update its privacy policy to inform consumers that it had sold their personal information during the preceding 12 months.

The AG’s complaint is significant, as it alleges conduct going back to the first month the CCPA took effect – January 2020 – indicating that the AG may consider historical conduct in bringing enforcement actions.  It also makes clear the AG’s expectations with respect to addressing violations of the law and providing consumers with redress.

The AG’s complaint also alleged that the Company violated CalOPPA. CalOPPA requires any entity that operates a website for commercial purposes and collects personal information to disclose in its privacy policy the categories of third parties with which the website operator shares personal information. The AG alleged that the Company violated this requirement by failing to disclose in its privacy policy that it had shared personal information with two marketing co-ops beginning in 2018 (notably two years before the CCPA took effect).

Under the stipulated judgment,  the Company must pay a $375,000 civil penalty and submit to strong injunctive terms, including to comply with the CCPA’s notice requirements and opt-out of sale/sharing rights provisions and to comply with CalOPPA’s privacy policy disclosure requirements. Notably, the Company is required to specifically describe in its privacy policy and notice at collection that the Company participates in a marketing co-operative and sells and/or shares personal information in connection with the co-operative, “in which other businesses may advertise their own products to the consumer using personal information collected and either shared and/or sold by [the Company].”

Under the settlement, the Company also must establish and maintain a compliance program to  (1) assess and monitor whether the Company is selling and/or sharing personal information, “including without limitation for marketing and related services or to providers of analytics or measurement services, utilizing technical and operational controls,” and (2) if so, evaluate whether it effectively provides consumers with the required notices and the right to opt-out. The Company’s compliance program must include: (1) a detailed description of the Company’s review of contracts with service providers and contractors who provide marketing, analytics, measurements and related services to ensure compliance with the CCPA’s servicer provider/contractor provisions; (2) a detailed description of the technical and operational controls the Company has implemented to assess its service providers/contractors’ compliance with the CCPA, including a description of the due diligence undertaken by the Company; (3) the name and description of any marketing co-ops the Company participates in and the personal information the Company sells and/or shares in connection with the co-operatives, along with contracts with such co-operatives; and (4) a description of how the Company provides notice to consumers about the sale and/or sharing of personal information and provides the opt-out of sale/sharing right. 

The Company is required to annually certify to the AG that it complies with the terms of the compliance program for a period of three years.