DoorDash Fined for CCPA Violations

California Attorney General Rob Bonta reached a $375,000 settlement with DoorDash, after allegations that the food delivery company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

A California Department of Justice investigation discovered that DoorDash violated the CCPA by selling customers’ personal information without notice or providing the opportunity to opt out of the sale. The company sold the data in a marketing cooperative, where businesses exchange customer data for the chance to market their products and services to each other’s customers. According to the Attorney General, in January 2020, DoorDash traded the names, addresses, and transaction histories of customers to a cooperative in a single transfer.

DoorDash was also accused of violating CalOPPA by failing to state in its posted privacy policy that it disclosed personally identifiable information, such as a consumer’s home address, to the marketing cooperatives.

“DoorDash’s participation in a marketing cooperative is a sale under the CCPA and violates its customers’ rights under our landmark state privacy law. As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale,” said Attorney General Bonta. “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”

On top of the $375,000 fine, DoorDash must also:

•  Comply with CCPA and CalOPPA, including requirements that apply to businesses that sell personal information.

•  Review contracts with marketing and analytics vendors and use of technology to evaluate if it is selling or sharing consumer personal information.

•  Provide annual reports to the Attorney General that monitor any potential sale or sharing of consumer personal information.

Previous CCPA Fine

The DoorDash settlement is the second CCPA enforcement. In August of 2022, Sephora was hit with a $1.2 million fine for failing to disclose information about the sale of personal information, the lack of a “Do Not Sell My Personal Information” button, and not honoring Global Privacy Control (GPC) signals.

CompliancePoint has a team of privacy  experts who can work with your organization to ensure your practices comply with the CCPA, GDPR, and all other applicable state laws. Reach out to us at connect@compliancepoint.com to learn more about how we can help.