To print this article, all you need is to be registered or login on Mondaq.com.
The California Office of the Attorney General (OAG) recently reached a settlement with the online food
delivery company DoorDash, Inc. (DoorDash) of claims that DoorDash
violated both the California Consumer Privacy Act (CCPA) and the
California Online Privacy Protection Act (CalOPPA). This is the
second publicly disclosed settlement by the OAG of CCPA violation
claims, following the OAG’s 2022 settlement with makeup retailer Sephora.
In a February complaint in San Francisco County
Superior Court, the OAG alleged that DoorDash sold California
consumers’ personal information — including names,
addresses, and transaction histories — through its
participation in two marketing co-ops beginning in 2018. While
selling personal information is not itself a violation of the CCPA,
businesses that engage in such sales must notify consumers about
them and provide a clear and conspicuous opportunity for consumers
to opt out of such sales. The OAG alleged that DoorDash did
neither.
According to the complaint, the marketing co-ops in which
DoorDash participated pooled consumer personal information from
members in exchange for the opportunity to advertise to the other
co-op members’ customers. The OAG alleged that this exchange
constituted “a sale of personal information under the
CCPA,” highlighting that sales can be for “monetary or
other valuable consideration.” The recipients of the
information that DoorDash shared also allegedly spread far beyond
the intended January 2020 marketing co-op. A range of external
parties were alleged to have purchased access to the data, and in
at least one case, resold that information multiple times. This had
a waterfall effect, with DoorDash allegedly unable to track or stop
the flow of its customers’ data.
The complaint notes that the OAG alerted DoorDash to the
potential issues in September 2020, expecting that DoorDash would
take steps to cure its alleged violations. However, “[e]ven
though DoorDash had already stopped selling the personal
information of California customers … and had instructed that all
of its California customer data be deleted,” the OAG found
that “DoorDash did not cure its January 2020 sale” to the
marketing co-op “because it did not make affected consumers
whole by restoring them to the same position they would have been
in if their data had never been sold.” The OAG faulted
DoorDash not only for losing track of the data, but also for
entering into contracts with the marketing co-op that neither
allowed DoorDash to audit the sale of the data to third parties nor
restricted the marketing co-op owner from making such sales.
Furthermore, DoorDash allegedly did not directly request that the
co-op owner refrain from making those sales. And even further,
DoorDash allegedly did not update its privacy policy to reflect
that it had sold consumers’ information within the prior year,
thereby violating CalOPPA.
The settlement with DoorDash imposes a $375,000 penalty and
requires the company to implement a CCPA and CalOPPA compliance
program. Under the compliance program, DoorDash will have to assess
and report to the OAG on its practices of selling or sharing
personal information, its contracts with third parties that handle
consumers’ personal information, and whether the company is
providing proper notice and opt-out information to consumers under
the relevant statutes. The compliance program would last for three
years and require annual certification.
This action, like the OAG’s prior action against Sephora, highlights the
risk that disclosures of consumers’ personal information will
be deemed “sales” in violation of the CCPA. Companies
collecting California residents’ personal information cannot
assume that “sales” under the CCPA are limited to
circumstances where there is an explicit exchange of remuneration
for personal data. The claims against DoorDash also underscore that
businesses must provide consumers with prior notice and an
opportunity to opt out of any personal information transfer that
would qualify as a “sale,” and must provide such notice
and opportunity in compliance with both the notice requirements of
the CCPA and CalOPPA and the CCPA’s mandates for specific
consumer opt-out mechanisms.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
#DoorDash #Fined #California #SecondEver #Publicly #Disclosed #CCPA #Settlement #Privacy #Protection
