Summary: California Attorney General Rob Bonta announced a settlement with DoorDash, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The investigation by the California Department of Justice found that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt out of that sale in violation of both the CCPA and CalOPPA.
Activity considered a Sale under CCPA: The sale occurred in connection with DoorDash’s participation in a marketing cooperative, where businesses contribute the personal information of their customers in exchange for the opportunity to advertise their products to each other’s customers.
What is DoorDash: DoorDash is a San Francisco-based company that operates a website and mobile app through which consumers may order food delivery.
How did DoorDash Violate CCPA: To reach new customers, DoorDash participated in marketing cooperatives and disclosed consumer personal information as part of its membership in the cooperatives.
- DoorDash traded personal information – including names, addresses, and transaction histories – of California consumers to a marketing cooperative in a single transfer so that it could market its services to the customers of the other participating businesses.
- The other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers.
- Upon receiving DoorDash’s customer personal information, the co-op would combine DoorDash’s customer data with the customer data of other third-party co-op members, analyze the data, and allow members to send mailed advertisements to potential leads.
How did DoorDash Violate CalOPPA: The California Online Privacy Protection Act (CalOPPA) is a 20-year-old California privacy law that imposes transparency obligations on companies that operate websites for commercial purposes and collect personally identifiable information from Californians.
- DoorDash failed to disclose in its privacy policy that it would share its customers’ personally identifiable information with other third-party businesses (e.g., marketing co-op members) for those businesses to contact DoorDash customers with ads.
Settlement Terms: DoorDash will have to do the following-
- Pay a $375,000 civil penalty and comply with strong injunctive terms.
- Comply with CCPA and CalOPPA, including requirements for businesses selling personal information.
- Review contracts with marketing and analytics vendors and use technology to evaluate whether it sells or shares consumer personal information.
- Provide annual reports to the Attorney General that monitor any potential sale or sharing of consumer personal information.