On February 21, 2024, California Attorney General Rob Bonta announced a settlement agreement with the well-known food delivery platform DoorDash, amounting to $375,000, to resolve allegations of the company's violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The California Department of Justice's investigation revealed that DoorDash sold personal information of California customers without notifying them or providing an opt-out mechanism, in breach of CCPA and CalOPPA regulations.
This enforcement action by the California Justice Department, following a $1.2 million settlement with retailer Sephora, marks the second major enforcement under CCPA.
Case Background:
San Francisco-based DoorDash offers food delivery services through its website and app. The investigation by Attorney General Rob Bonta's office was initiated following complaints on social media.
To attract new customers, DoorDash participated in marketing collaborations, disclosing consumers' personal information as part of its membership. In January 2020, the first month CCPA came into effect, DoorDash provided a marketing partner with personal information of California consumers, including names, addresses, and transaction histories, enabling them to market services to customers of other participating businesses. These businesses also gained opportunities to market to DoorDash customers. However, DoorDash did not notify its customers of this practice or offer an opt-out mechanism.
Investigation Findings:
In response to the violations, in September 2020, Bonta sent DoorDash a notice alleging CCPA violations, demanding corrective actions within 30 days. Although DoorDash ceased selling California consumer's personal information to marketing partners and took steps to delete the data, it failed to fully address the issue, especially in restoring the data security of affected consumers. The personal and inferred information sold had reached beyond the marketing partners to other companies.
The enforcement action ultimately charged DoorDash with violating CCPA requirements for businesses that sell personal data and failing to correct these violations. The complaint also accused DoorDash of violating CalOPPA by not disclosing in its privacy policy that it shared personally identifiable information, such as consumer home addresses, with marketing partners.
Settlement Outcome:
Bonta detailed the settlement with DoorDash over the violations. Specifically, DoorDash will pay a $375,000 fine and comply with injunction terms. DoorDash must:
- Adhere to CCPA and CalOPPA requirements, including those applicable to businesses that sell personal information;
- Review contracts and technology usage with its marketing and analytics vendors to assess if they are selling or sharing consumer personal information;
- Provide annual reports to the Attorney General to monitor any potential sale or sharing of consumer personal information.
Bonta stated that DoorDash's participation in marketing collaborations constituted a sale under CCPA, violating the rights of customers under California's landmark privacy law. Businesses must disclose their practices of selling personal information and provide Californians with an opt-out option. Bonta also expressed hope that the settlement would serve as a warning to businesses: CCPA has been in effect for over four years, and companies must comply with this critical privacy law, with any violations being taken seriously.
This incident highlights California's firm stance on protecting consumer privacy rights. Businesses are responsible for strictly safeguarding consumer personal information, preventing its unauthorized sale or sharing.
