CCPA Settlement Illustrates Continued Focus on the Sale of Consumer Personal Information

6 min read

On February 21, 2024, California Attorney General Rob Bonta ("Cal AG") announced that his office reached a settlement with DoorDash, the food delivery service company, for violating the California Consumer Privacy Act ("CCPA") and the California Online Privacy Protection Act ("CalOPPA"). This is the second CCPA enforcement action since the law took effect in January 2020. In this second enforcement action, the Cal AG levied a $375,000 fine and imposed remedial measures for DoorDash's selling of its customers' personal information to marketing co-ops without informing them or providing an opportunity to opt out. The first enforcement action, announced in August 2022, required Sephora to pay a $1.2 million fine for violating the CCPA, also primarily relating to its selling of consumers' personal information. This continued enforcement underscores the Cal AG's commitment to holding businesses accountable for CCPA violations and highlights the importance of adhering to the CCPA's requirements designed to safeguard consumer privacy.

The Cal AG’s Complaint against DoorDash

The Cal AG alleged that DoorDash participated in two marketing co-ops where it shared customer information with unrelated businesses in exchange for the opportunity to distribute mailed advertisements directly to the customers of the other participating businesses. The Cal AG found this to be a "sale" of personal information under the CCPA, and DoorDash failed to comply with the CCPA's opt-out requirements for businesses that sell personal information. Of note, the Cal AG highlighted that "[a]ny transaction under which a business receives a benefit for sharing consumer information can be a sale for purposes of the CCPA." Furthermore, DoorDash violated CalOPPA by neglecting to disclose in its posted privacy policy that it provides personal information, including consumers' home addresses, to these marketing co-ops.

Regarding the CCPA violations, the Cal AG alleged that DoorDash disclosed consumer names, addresses and transaction histories to the marketing co-ops in exchange for the prospect of advertising its services directly to the customers of the other participating companies. When selling consumer personal information, the CCPA mandates two key actions which DoorDash failed to fulfill. First, DoorDash was required to disclose in its privacy policy that it engaged in the sale of personal information. Second, DoorDash was obligated to prominently feature an easily accessible "Do Not Sell My Personal Information" link on its website and mobile app. In September 2020, the Attorney General sent a notice of alleged CCPA noncompliance to DoorDash. The Cal AG alleged that DoorDash did not cure the deficiency because the consumers' personal information had already been sold downstream to other companies, including to a data broker who subsequently resold the data multiple times.

Regarding the CalOPPA violations, the Cal AG alleged that DoorDash lacked transparency in its privacy disclosures. CalOPPA, which predates the CCPA and has been in effect since 2004, mandates that any entity operating a website for commercial purposes and collecting personal information disclose, in its privacy policy, the categories of third parties with whom it shares such information. While DoorDash's privacy policy indicated the potential use of customer data for advertising purposes, it did not elaborate on the fact that other entities, such as marketing co-op members, could also contact DoorDash's customers with advertisements for their businesses. Thus, by failing to transparently disclose it shared personal information with the marketing co-ops, DoorDash's privacy policy fell short of complying with CalOPPA.

Requirements Imposed under Settlement Order

As part of the settlement, in addition to the US$375,000 monetary penalty, DoorDash specifically agreed to:

  • Compliance with Laws
    • To the extent DoorDash sells or shares personal information, it must provide notice of such selling or sharing to consumers in its privacy policy and in its notice at collection. DoorDash must also include a list of the categories of personal information that it has collected about consumers and sold and/or shared in the preceding 12 months. Additionally, DoorDash must provide sufficient notice explaining that its consumers have the right to opt-out of the sale and/or sharing of their personal information. To the extent DoorDash participates in a marketing co-operative, it must clearly and conspicuously state in its privacy policy and notice at collection that it does so in which other businesses may advertise their own products to the consumer using personal information collected and either shared and/or sold by DoorDash.
    • Provide the required methods for its customers to opt-out of the sale or sharing of personal information (e.g., opt-out preference signal, interactive webform, toll-free phone number, email).
  • Establishing a Compliance Program
    • Implement and maintain a compliance program to: (1) assess and monitor whether it sells or shares personal information; and (2) if so, evaluate whether it is effectively providing consumers with the required notices.
    • Document its compliance program in writing, including its policies and procedures and the technical and operational controls used for assessing whether it sells or shares personal information from consumers, which must include:
      • a detailed description of its review and evaluation of contracts with services providers and contractors;
      • a detailed description of the technical and operational controls implemented related to assessing CCPA compliance for services providers and contractors;
      • the name and description of any marketing co-ops DoorDash participates in and what personal information DoorDash sells or shares; and
      • how its existing privacy policy and notice at collection sufficiently disclose to consumers and the methods Defendant provides or otherwise uses for consumers to opt-out.
  • Certificate of Compliance to AG
    • Provide annual certifications to the Cal AG's office affirming that it has implemented and is maintaining a compliance program.

The DoorDash settlement stands as a clear message to businesses to prioritize consumer privacy in their operations and heed the requirements of privacy laws. The Cal AG has issued a stern warning to businesses, asserting that his office will hold them accountable if they fail to protect consumers' rights by selling data without due diligence and compliance with privacy regulations. Just as the Cal AG noted: "I hope today's settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law."

Note, the complaint stated that DoorDash did not have sufficient audit rights in its contract and thus could not audit who the marketing co-op sold customer data to, which serves as an important reminder to companies to include audit rights, and other strong privacy protective provisions in their agreements. As such, companies should assess their current compliance programs, including understanding their data, reviewing and updating appropriate privacy notices, audit rights, consents and other user facing transparency requirements, as well as ensuring appropriate data retention and security policies are in place. 12 other states have comprehensive privacy laws and companies should be ensuring their compliance in each jurisdiction.


White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP