Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
California: AG announces $375,000 settlement with DoorDash
The California Attorney General (AG), Rob Bonta, announced, on February 21, 2024, that they had reached a $375,000 settlement with DoorDash, Inc. (DoorDash), in relation to allegations that the company violated the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA).
Background to the case
The AG noted that they had conducted an investigation into DoorDash following a complaint posted on social media. In particular, the AG noted that DoorDash participated in a marketing cooperative, where businesses contribute the personal information of their customers in exchange for the opportunity to advertise their products to each other's customers.
Findings of the AG
The AG concluded that in connection with its participation in the marketing cooperative, DoorDash violated the CCPA and CalOPPA. The complaint explains that DoorDash failed to disclose in its privacy policy that it sold consumers' personal information and did not provide an easy-to-find 'Do Not Sell My Personal Information' link on the website and mobile app, as required by the CCPA. In regard to CalOPPA, the complaint highlights that DoorDash never disclosed in its privacy policy that it shared personally identifiable information with these marketing cooperatives.
In light of the above, in September 2020, the AG sent DoorDash a notice of alleged CCPA noncompliance, for which DoorDash had 30 days to cure the violation. The complaint noted that although DoorDash had stopped selling the personal information of California customers to marketing cooperatives and had instructed that all of its California customer data be deleted, DoorDash did not cure its January 2020 sale to KBM Group, LLC (KBMG), a member of the cooperative. On this point, the complaint clarifies that DoorDash did not cure the violation as it did not make affected consumers whole by restoring them to the same position that they would have been in if their data had never been sold. The complaint details that the consumer's personal information and inferences about customers had already been sold downstream to other companies and beyond the marketing cooperative members, highlighting that DoorDash could not determine which downstream companies had received its data so that it could contact each company to request that it delete or stop further selling the data.
Notably, the complaint also emphasizes that DoorDash did not take more modest available steps that could have mitigated the harm suffered by these consumers including:
- instructing KBMG not to sell the personal information of affected customers to prevent further dissemination; or
- updating its privacy policy to inform consumers that it had sold their personal information during the preceding 12 months.
Outcomes
The AG detailed that it had reached a settlement with DoorDash for the alleged violations. In particular, DoorDash will pay $375,000 and comply with injunctive terms. Specifically, DoorDash must:
- comply with CCPA and CalOPPA, including requirements that apply to businesses that sell personal information;
- review contracts with marketing and analytics vendors and use of technology to evaluate if it is selling or sharing consumer personal information; and
- provide annual reports to the AG that monitor any potential sale or sharing of consumer personal information.
You can read the press release here, the complaint here, and the settlement here.