California Attorney General Rob Bonta announced a settlement between the State of California and DoorDash on February 21, 2024, regarding allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) by selling its California customers’ personal information without providing notice or an opportunity to opt out.
The Attorney General specifically took issue with DoorDash’s participation in marketing cooperatives, which involved DoorDash disclosing consumer personal information as part of its membership. The Attorney General deemed that disclosure to be a “sale” of personal information under the CCPA’s broad definition of that term, as DoorDash received “valuable consideration” in the form of an “opportunity to advertise its services directly to the customers of the other participating companies.”
On the Attorney General’s website, Bonta explained: “DoorDash’s participation in a marketing cooperative is a sale under the CCPA and violates its customers’ rights under our landmark state privacy law. As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale. … The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”
DoorDash responded in a public statement that the data shared — apparently against DoorDash’s request — was “limited to non-sensitive consumer information such as name, delivery address and basic transaction information such as the amount.” The company added that its membership in marketing cooperatives ended in 2020. The settlement requires DoorDash to pay a $375,000 civil penalty and comply with specific injunctive terms.
This is only the second settlement of claims under the CCPA that the Attorney General’s office has announced since the statute took effect. The first, which the Attorney General announced in October 2022, involved Sephora, and is described here.
The California Privacy Protection Agency (CPPA) took over enforcement in July 2023. At its next board meeting on March 8, 2024, the CPPA is expected to provide an update on its own enforcement priorities for the coming year.