California AG Reaches Settlement With DoorDash Over Privacy Violations

California's commitment to consumer privacy rights was reinforced on February 21, 2024, when AG Rob Bonta announced a settlement with DoorDash, following an investigation which revealed that DoorDash did not adhere to the requirements of California’s consumer privacy laws, the California Consumer Privacy Act (CCPA)  and the California Online Privacy Protection Act (CalOPPA), when selling Californian consumers' personal data.

Both the CCPA and CalOPPA focus on consumer privacy, with CCPA providing consumer rights for access, deletion, and opting out of data sale, while CalOPPA mandates transparent privacy policies for online data collectors. The difference between the two is that while the CCPA applies more broadly, the CalOPPA specifically addresses the clear disclosure of privacy practices by websites.

The case against DoorDash shows how the sale of personal information through marketing cooperatives occurs, namely through an arrangement where businesses exchange customer data for mutual advertising benefits, but it also raises concerns about privacy infringement. The actions of DoorDash, which involved trading personally identifiable information (PII) such as names, addresses, and transaction histories without proper consumer notification or opt-out provisions, show that there is a significant need for transparency and consumer choice in the way consumers’ personal data is used. 

AG Bonta made the following statement: 

DoorDash’s participation in a marketing cooperative is a sale under the CCPA and violates its customers’ rights under our landmark state privacy law. As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale [...]. I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.

The actions of DoorDash violated the CCPA by not providing consumers with the option to opt-out of the sale of their personal data and also violated the CalOPPA by not stating in their online privacy policy that it disclosed PII to marketing cooperatives. Following this settlement, DoorDash will have to pay a $375,000 penalty and meet a series of stringent compliance and reporting requirements:

• Comply with CCPA and CalOPPA, including requirements that apply to businesses that sell personal information.
• Review contracts with marketing and analytics vendors and use of technology to evaluate if it is selling or sharing consumer personal information.
• Provide annual reports to the Attorney General that monitors any potential sale or sharing of consumer personal information.

This enforcement of the CCPA is part of a wider initiative by California’s Attorney General to ensure that all entities follow the requirements of the CCPA, as proven by the recent investigative sweeps announced.