DoorDash Fined $375,000 by California AG in Second-Ever Publicly Disclosed CCPA Settlement
The California Office of the Attorney General (OAG) recently reached a settlement with the online food delivery company DoorDash, Inc. (DoorDash) of claims that DoorDash violated both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). This is the second publicly disclosed settlement by the OAG of CCPA violation claims, following the OAG’s 2022 settlement with makeup retailer Sephora.
In a February complaint in San Francisco County Superior Court, the OAG alleged that DoorDash sold California consumers’ personal information — including names, addresses, and transaction histories — through its participation in two marketing co-ops beginning in 2018. While selling personal information is not itself a violation of the CCPA, businesses that engage in such sales must notify consumers about them and provide a clear and conspicuous opportunity for consumers to opt out of such sales. The OAG alleged that DoorDash did neither.
According to the complaint, the marketing co-ops in which DoorDash participated pooled consumer personal information from members in exchange for the opportunity to advertise to the other co-op members’ customers. The OAG alleged that this exchange constituted “a sale of personal information under the CCPA,” highlighting that sales can be for “monetary or other valuable consideration.” The recipients of the information that DoorDash shared also allegedly spread far beyond the intended January 2020 marketing co-op. A range of external parties were alleged to have purchased access to the data, and in at least one case, resold that information multiple times. This had a waterfall effect, with DoorDash allegedly unable to track or stop the flow of its customers’ data.
The complaint notes that the OAG alerted DoorDash to the potential issues in September 2020, expecting that DoorDash would take steps to cure its alleged violations. However, “[e]ven though DoorDash had already stopped selling the personal information of California customers … and had instructed that all of its California customer data be deleted,” the OAG found that “DoorDash did not cure its January 2020 sale” to the marketing co-op “because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold.” The OAG faulted DoorDash not only for losing track of the data, but also for entering into contracts with the marketing co-op that neither allowed DoorDash to audit the sale of the data to third parties nor restricted the marketing co-op owner from making such sales. Furthermore, DoorDash allegedly did not directly request that the co-op owner refrain from making those sales. And even further, DoorDash allegedly did not update its privacy policy to reflect that it had sold consumers’ information within the prior year, thereby violating CalOPPA.
The settlement with DoorDash imposes a $375,000 penalty and requires the company to implement a CCPA and CalOPPA compliance program. Under the compliance program, DoorDash will have to assess and report to the OAG on its practices of selling or sharing personal information, its contracts with third parties that handle consumers’ personal information, and whether the company is providing proper notice and opt-out information to consumers under the relevant statutes. The compliance program would last for three years and require annual certification.
This action, like the OAG’s prior action against Sephora, highlights the risk that disclosures of consumers’ personal information will be deemed “sales” in violation of the CCPA. Companies collecting California residents’ personal information cannot assume that “sales” under the CCPA are limited to circumstances where there is an explicit exchange of remuneration for personal data. The claims against DoorDash also underscore that businesses must provide consumers with prior notice and an opportunity to opt out of any personal information transfer that would qualify as a “sale,” and must provide such notice and opportunity in compliance with both the notice requirements of the CCPA and CalOPPA and the CCPA’s mandates for specific consumer opt-out mechanisms.
Please feel free to contact any of the authors of this post or your principal Arnold & Porter contact if you have any questions about the CCPA or privacy compliance more generally.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.