On Wednesday, February 21, 2024, California Attorney General Rob Bonta announced that his office reached a settlement with DoorDash, which addresses allegations that the company facilitated several violations of both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

Following an investigation by the California Department of Justice, the CA AG’s office determined that DoorDash sold the personal information of California customers without requisite notice or an opportunity to opt-out of that sale.  The sale took place through marketing cooperatives, which are networks of businesses that share the personal information of their respective customers with one another in order for participating businesses to advertise to those same customers, regardless of any prior relationship.  In other words, by participating in marketing cooperatives and disclosing consumer personal information as part of its membership, DoorDash was able to reach new customers; in turn, the other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers.

The CCPA is unique with respect to data privacy laws because of how it defines “sale.”  In general, any disclosure or transfer of personal information about a California consumer to a third party in exchange for consideration, regardless of whether money is ever exchanged, constitutes a “sale.”  Therefore, the CA Attorney General’s allegation is that by sharing personal information through marketing cooperatives in exchange for opportunities to advertise to prospective customers, DoorDash effectively sold personal information without notice or consent.

The DoorDash enforcement action alleges that participation in these marketing collectives constituted a sale of personal information under the CCPA.  The complaint alleges that DoorDash violated the CCPA’s requirements that sell personal data (such as notice of such sales, disclosure of third-part recipients, and an opt out link entitled “Do Not Sell My Personal Information”), as well as CalOPPA by failing to state in its privacy policy that it disclosed personally identifiable information to marketing cooperatives.

The settlement requires DoorDash to pay a $375,000 civil penalty, and also:

  • Comply with CCA and CalOPPA, including requirements that apply to businesses that sell personal information (e.g., notice, opt-out processing, etc.)
  • Review contracts with marketing and analytics vendors and use of technology to evaluate if it is selling or sharing consumer personal information.
  • Provide annual reports to the CA Attorney General that monitors any potential sale or sharing of consumer personal information.

This marks the second CCPA settlement.  In August 2022, the CA Attorney General announced a settlement with Sephora that resolved allegations stating it failed to disclose to consumers that it was selling personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA.

Perhaps two of the biggest takeaways from this settlement are: (1) notice at collection must include a list of categories of the personal information that you sold or shared in the last 12 months; and (2) any transaction under which a business receives a benefit for sharing consumer information likely constitutes a sale under CCPA.  When your company shares information in consideration for the opportunity to advertise, you are receiving a benefit and the transaction is a sale. Both the Sephora and DoorDash settlements serve as a powerful reminder that California privacy laws are being enforced. Last month, the California AG announced an investigative sweep, which included sending letters to businesses with popular streaming apps and devices alleging that they fail to comply with the CCPA; specifically focusing on opt-out requirements for businesses that sell or share consumer personal information.

Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company’s legal or compliance obligations. Taft’s Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights and don’t forget to download our free mobile app, to give you quick, real-time access to Taft PDS content and updates like this one.