Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.

Allegations Under CCPA and CalOPPA

DoorDash’s marketing cooperative practices, which allegedly included sharing customer contact and transaction history information, came under scrutiny for potentially violating the CCPA and the CalOPPA. The CCPA, which empowers California residents with control over their personal information, requires businesses to disclose any sale of personal data and provide a mechanism for consumers to opt-out. In September 2020, the California Attorney General issued DoorDash a notice of alleged CCPA noncompliance, which included a provision that allowed businesses to cure alleged violations within 30 days. The cure provision, which previously appeared in Civil Code section 1798.155, subdivision (b), has since been removed. Even though DoorDash halted the sale of California customers’ personal data and ordered its deletion, the California Attorney General argued that this could not cure the breach, as DoorDash could not revert affected consumers to their pre-violation status, because the data had been reshared at that point and DoorDash could no longer control, audit, or restrict further dissemination.

Furthermore, the California Attorney General alleged that DoorDash violated the California Online Privacy Protection Act (CalOPPA) by failing to disclose in its privacy policy the sharing of personally identifiable information with third parties, such as marketing cooperatives. CalOPPA, which predates the CCPA, emphasizes transparency in how consumer data is shared with third parties, requiring explicit disclosure in the company’s privacy policy.

The Settlement

The DoorDash settlement includes a payment of $375,000 civil penalty. This is not as high as the office’s 2022 settlement with Sephora for $1.2 million, likely due to the fact that DoorDash had already ended its participation in the marketing cooperative and worked to make some remediations. The DoorDash settlement also includes required compliance with injunctive terms, as outlined below.

Legal Obligations: DoorDash is required to comply with specific provisions of the California Consumer Privacy Act (CCPA) and its implementing regulations. This includes ensuring transparency, giving consumers control over their personal information, and adhering to privacy standards as dictated by California law.

Privacy Policy and Consumer Notices: The company must clearly disclose in its privacy policy and at the point of collection if it sells or shares personal information. This includes detailing the categories of personal information involved and informing consumers of their rights, particularly their right to opt-out of such practices.

Selling and Sharing Practices: For any selling or sharing of personal information, DoorDash must provide consumers with straightforward methods to opt-out, in line with CCPA requirements. This is especially pertinent if DoorDash participates in marketing co-operatives that use personal information for advertising purposes.

Compliance Program Implementation: Within 180 days, DoorDash is required to establish a compliance program to monitor its selling/sharing activities and ensure it is providing the correct notices and opt-out options to consumers. This program must be documented in writing, detailing DoorDash’s strategies for reviewing service-provider contracts and implementing technical controls for CCPA compliance.

Certification and Accountability: DoorDash is required to certify its compliance with the CCPA and detail its compliance efforts annually to the California Attorney General for three years. This includes disclosing participation in any marketing co-operatives and providing additional information upon request to demonstrate adherence to the legal requirements.

Broader Implications for Businesses

This enforcement action against DoorDash signals a clear message from the California Attorney General’s office regarding the seriousness with which it views violations of privacy laws. The case highlights the need for businesses to critically assess their data practices, particularly in how they share consumer personal information within marketing cooperatives or similar arrangements.

Furthermore, the settlement with DoorDash follows on the heels of other significant CPPA developments, including the previous settlement with Sephora, the recently announced investigative sweep focusing on streaming services, and the California court of appeals decision to commence enforcement activity of the CPPA’s first set of regulations. These actions collectively illustrate the broad scope of the CCPA and the active efforts by the state to enforce compliance across various sectors.

The settlement between DoorDash and the California Attorney General serves as an important reminder to businesses operating within the state. It emphasizes the necessity of compliance with California’s stringent privacy laws and the consequences of failing to adequately protect consumer rights. As the digital economy continues to evolve, the enforcement of data privacy laws remains a paramount concern, with this case serving as a key example of the legal risks businesses face when they neglect the privacy rights of consumers.