On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.
The AG’s complaint alleged that the Company violated the CCPA’s requirements regarding the “sale” of personal information. In particular, the AG alleged that the Company disclosed California consumers’ personal information to a marketing co-op, which combined Company data with data from other sources to target ads to consumers on behalf of not only the Company but also other marketing co-op participants. The AG alleged that such disclosure constituted a “sale” of personal information and that the Company violated the CCPA by not providing the required notice and opt-out opportunity.
The AG’s complaint alleged that, in September 2020, the AG notified the Company that it was in violation of the CCPA’s requirements with respect to the “sale” of personal information in connection with its disclosure of personal information to the marketing co-op, and that the Company failed to cure the alleged violations within 30 days. In particular, the AG alleged that the Company “did not cure because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold,” even where the Company “had already stopped selling the personal information of California customers to marketing co-ops and had instructed that all of its California customer data be deleted.” The AG took issue with the fact that the Company did not take specific actions to cure the violation, alleging that the Company:
- Could not determine which downstream companies had received the customer data so that it could contact each company to request that it delete or stop further selling the data;
- Did not have contractual provisions with the marketing co-op to audit to whom the co-op sold customer data, or to sufficiently restrict the marketing co-op to only use Company data in furtherance of the marketing co-op;
- Did not instruct the marketing co-op to not sell the personal information of affected customers; and
- Did not update its privacy policy to inform consumers that it had sold their personal information during the preceding 12 months.
The AG’s complaint is significant, as it alleges conduct going back to the first month the CCPA took effect – January 2020 – indicating that the AG may consider historical conduct in bringing enforcement actions. It also makes clear the AG’s expectations with respect to addressing violations of the law and providing consumers with redress.
The AG’s complaint also alleged that the Company violated CalOPPA. CalOPPA requires any entity that operates a website for commercial purposes and collects personal information to disclose in its privacy policy the categories of third parties with which the website operator shares personal information. The AG alleged that the Company violated this requirement by failing to disclose in its privacy policy that it had shared personal information with two marketing co-ops beginning in 2018 (notably two years before the CCPA took effect).
Under the stipulated judgment, the Company must pay a $375,000 civil penalty and submit to strong injunctive terms, including to comply with the CCPA’s notice requirements and opt-out of sale/sharing rights provisions and to comply with CalOPPA’s privacy policy disclosure requirements. Notably, the Company is required to specifically describe in its privacy policy and notice at collection that the Company participates in a marketing co-operative and sells and/or shares personal information in connection with the co-operative, “in which other businesses may advertise their own products to the consumer using personal information collected and either shared and/or sold by [the Company].”
Under the settlement, the Company also must establish and maintain a compliance program to (1) assess and monitor whether the Company is selling and/or sharing personal information, “including without limitation for marketing and related services or to providers of analytics or measurement services, utilizing technical and operational controls,” and (2) if so, evaluate whether it effectively provides consumers with the required notices and the right to opt-out. The Company’s compliance program must include: (1) a detailed description of the Company’s review of contracts with service providers and contractors who provide marketing, analytics, measurements and related services to ensure compliance with the CCPA’s servicer provider/contractor provisions; (2) a detailed description of the technical and operational controls the Company has implemented to assess its service providers/contractors’ compliance with the CCPA, including a description of the due diligence undertaken by the Company; (3) the name and description of any marketing co-ops the Company participates in and the personal information the Company sells and/or shares in connection with the co-operatives, along with contracts with such co-operatives; and (4) a description of how the Company provides notice to consumers about the sale and/or sharing of personal information and provides the opt-out of sale/sharing right.
The Company is required to annually certify to the AG that it complies with the terms of the compliance program for a period of three years.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code