DoorDash, Inc. recently settled with the California Attorney General for alleged violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). This is only the second public settlement with the California AG’s office for claims related to CCPA violations (the first was with Sephora in 2022).

The AG’s complaint stated that DoorDash sold California consumers’ personal information (names, addresses, and transaction histories) as part of its participation in a couple of marketing co-ops that began in 2018. The sale of personal information is not prohibited by the CCPA, but if a business engages in such sales, it must notify consumers of that sale and provide them with the opportunity to opt-out of such sales. The AG’s complaint alleged that DoorDash did neither.

The marketing co-ops that DoorDash participated in would combine consumer data that had been independently collected in exchange for the opportunity to re-target to the other co-op members’ customers. The complaint outlined the fact that under the CCPA, this act is considered a sale because a “sale” does not require the exchange of funds but could be an exchange for “other valuable consideration.”

Additionally, the data was also shared with parties external to the co-op; the data was sold to those external parties who then also sold the data.

To further support the AG’s claims that DoorDash violated consumer protection laws, the AG alerted DoorDash to these potential issues in September 2020. DoorDash responded to the notice from the AG stating that it had stopped selling the data and instructed the co-op participants to delete all California consumer data. However, the AG found that DoorDash did not cure the January 2020 sale of data “because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold.”

In the complaint, the AG faulted DoorDash for losing track of the data and also for engaging in a marketing co-op agreement that did not allow DoorDash to audit the sale of the data to third parties or restrict the co-op owner from making sales of the data. Lastly, the AG alleged that DoorDash did not update its website privacy policy to disclose that it sold consumer data within the prior year.

To settle these alleged violations, DoorDash has agreed to pay a $375,000 penalty and implement a CCPA and CalOPPA compliance program. DoorDash will also have to provide annual certification of compliance for three years. 

With a settlement like this, businesses may want to assess their practices around disclosures of consumer data and take a look at their website privacy policies to confirm that those practices are clearly articulated and transparent.