California Attorney General Rob Bonta today announced a significant settlement with DoorDash for $375k finding that DoorDash had been selling the personal information of its California customers without providing adequate notice or opportunities to opt out, thereby breaching both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). This is the second CCPA enforcement action — the first was a $1.2 settlement with retail giant Sephora.
The investigation by the California Department of Justice revealed that the sale of personal information occurred in connection with DoorDash’s involvement in marketing campaigns where businesses would provide personal information of their customers in exchange for an opportunity to advertise their products to other participating businesses.
However, this marketing scheme ran afoul of the CCPA’s provisions, which require transparency and consumer consent regarding the sale of personal data.
Attorney General Bonta emphasized the significance of the settlement, stating, “DoorDash’s participation in a marketing cooperative constitutes a sale under the CCPA and infringes upon the rights of its customers under our state’s privacy laws.” He reiterated the obligation of businesses to disclose any such activities involving consumer data and provide opt-out mechanisms, underlining the non-negotiable nature of compliance with privacy regulations.
As part of the settlement, DoorDash has agreed to a civil penalty of $375,000 and must adhere to stringent injunctive measures. These measures include full compliance with CCPA and CalOPPA requirements, thorough reviews of contracts with marketing partners to assess data-sharing practices, and regular reporting to the Attorney General’s office to ensure ongoing transparency.
This settlement underscores the California (and other state) AG’s commitment to upholding consumer privacy rights and holding businesses accountable for violations.
Importantly, this enforcement action is not an isolated incident but part of a broader effort by the AG’s office to enforce the CCPA effectively — AG Bonta announced an investigative sweep just last month. The recent sweep focused streaming services and their compliance with CCPA requirements — including whether they offer an easy mechanism for consumers who want to stop the sale of their data.
Businesses not only operating in California — but also those operating in states with similar robust privacy laws — must continue to prioritize compliance with privacy regulations and ensure that the approriate measures are in place to protect consumer data.