On February 21, 2024, Attorney General Rob Bonta (“AG”) announced a settlement with DoorDash for $375,000 over allegations that DoorDash violated the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”). The AG alleged that DoorDash violated these laws by, among other things, selling personal information without providing consumers with notice or an opportunity to opt out of the sale. This is the second CCPA settlement announced by the AG since the law came into effect in January 2020. Read about the AG’s first CCPA enforcement action against Sephora here.

What Happened?

According to the complaint, DoorDash participated in marketing cooperatives (“marketing co-ops”) to enable the company to reach new customers. As part of these marketing co-ops, DoorDash and other companies disclosed consumer personal information to the marketing co-op in exchange for the opportunity to advertise their products to each other’s customers.

Specifically, the AG determined that DoorDash:

• Violated the CCPA by failing to provide consumers with notice or an opportunity to opt out of the sale of their personal information. The CCPA requires businesses that engage in the sale of personal information to provide certain disclosures to consumers and provide them with an opportunity to opt out of the sale. By providing personal information of its customers to marketing co-ops in exchange for the opportunity to send advertisements to customers of other participating businesses, DoorDash engaged in a “sale” of personal information. Notably, the CCPA’s definition of “selling” involves the exchange of personal information for valuable consideration. According to the AG, the opportunity to advertise DoorDash’s products to other businesses that were part of the marketing co-ops was a form of valuable consideration that DoorDash received in exchange for providing personal information.
• Violated CalOPPA by failing to make the required privacy policy disclosures. CalOPPA requires an entity that operates a website for commercial purposes and that collects personal information to disclose in its privacy policy the categories of third parties with which it shares personal information. Despite participating in two marketing co-ops, DoorDash did not disclose in its privacy policy that it shared personal information with these marketing co-ops. Rather, DoorDash’s privacy policy stated that it could use customer data to contact customers with advertisements, but did not state that other businesses (like marketing co-op members) could contact its customers with advertisements for their businesses. Notably, CalOPPA has rarely been enforced since it came into effect in 2004.   

What Are the Settlement Terms?

Under the terms of the settlement, DoorDash has agreed to pay a $375,000 civil penalty and comply with the CCPA and CalOPPA going forward, including by disclosing any “selling” or “sharing” of personal information to marketing co-ops and providing any required methods for consumers to opt out of this selling or sharing. Additionally, the settlement directs DoorDash to develop a written compliance program that includes:

• A description of its review and evaluation of contracts with marketing and analytics vendors, or vendors that provide analytics or measurement services, to ensure compliance with CCPA requirements.
• A description of technical and operational controls implemented relating to assessing CCPA compliance for service providers who provide marketing and related services, or who provide analytics or measurement services.
• If DoorDash engages in selling or sharing of personal information in relation to the above-mentioned service providers, a description of how DoorDash’s existing public disclosures adequately address this selling and sharing, and whether consumers are given methods to opt out.

Pursuant to the settlement, DoorDash has also agreed to provide annual reports regarding its compliance with the settlement order to the AG for three years.

Key Takeaways

• A “sale” of personal information under the CCPA is not limited to the exchange of data for monetary consideration. As demonstrated by the DoorDash and Sephora enforcement actions, the exchange of personal information for a benefit – including the opportunity to market to a broader audience – may be viewed as a “sale” under the CCPA.
• When it comes to the sale of personal information, “curing” is a high bar. When the AG began its investigation, the CCPA still afforded businesses the “right to cure” alleged violations within 30 days. Under the current, amended version of the CCPA, the California Privacy Protection Agency (“Privacy Agency”) – a new agency formed to administer and enforce the CCPA – may, in its discretion, give a business the opportunity to cure. In this case, the AG notes that DoorDash did not cure its violations because it was unable to make affected consumers whole “by restoring them to the same position they would have been had their data never been sold.” For example, DoorDash could not determine which downstream companies had received its customer data so that it could contact those companies and direct them to delete or stop further selling the data.
• The AG evaluating compliance with CalOPPA, a rarely enforced law that predates the CCPA, is a reminder that the AG has the authority to enforce state consumer protection laws other than the CCPA. Companies that are not subject to the CCPA may still be required to comply with CalOPPA, which applies to any operator of a commercial website or online service that collects personal information of California residents. As noted above, CalOPPA requires specific disclosures regarding data-sharing. As such, companies should provide adequate disclosures of personal information collected and used for advertising purposes. In particular, when using a marketing co-op or similar service, the privacy policy should identify the categories of third parties with which the data is shared and the fact that third parties could contact consumers with advertisements for their businesses. The AG also has the authority to enforce other California consumer protection laws, including state laws governing medical information and data breaches.
• While the AG’s administrative enforcement authority under CCPA has been reassigned to the Privacy Agency, the AG still retains its civil enforcement authority pursuant to the CCPA. AG Bonta reminded businesses that “[t]he CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and [his] office will hold businesses accountable if they sell data without protecting consumers’ rights.” The AG periodically announces investigative sweeps relating to CCPA compliance, including streaming apps and devices, employee information, and mobile apps in the retail, travel, and food industries.

How can GD help?

If you have any questions regarding this client alert or need assistance with evaluating your obligations under the CCPA, CalOPPA, and other consumer privacy laws, please reach out to your Gunderson Dettmer attorney or contact one of our data privacy experts:

Anna Westfelt           (650) 463-5367            awestfelt@gunder.com

Cecilia Jeong           (646) 490-9094            cjeong@gunder.com

Frida Alim                 (415) 801-4921            falim@gunder.com

James Gately            (617) 648-9313            jgately@gunder.com

Jerel Pacis Agatep   (424) 214 1747            jagatep@gunder.com