DoorDash Fined $375,000 for CCPA Violations
California Attorney Rob Bonta recently announced a $375,000 settlement with DoorDash over alleged violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The Attorney General’s allegations centered around the food-delivery company’s sharing of consumers’ personal data with a marketing cooperative, which amounted to “selling” information under the CCPA.
“I hope today’s settlement serves as a wakeup call to businesses,” said Mr. Bonta. “The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”
What Did DoorDash Do Wrong?
At the heart of the allegations is DoorDash’s participation in a “marketing cooperative.” A marketing cooperative allows participating companies to advertise to each other’s customers. For example, the owner of a gym may want to reach the customers of a company that sells yoga pants, or vice versa. In exchange for this opportunity, each member gives the cooperative access to its customer data, and the cooperative acts as a data broker.
There is nothing inherently illegal about participating in a marketing cooperative. What got DoorDash into trouble was its (alleged) failure to do two things: (1) Disclose the fact of its participation in the marketing cooperative, and (2) offer consumers a way to opt out.
- Failure to Disclose
Both the CCPA and CalOPPA require businesses to include in their privacy policy the categories of personal information that they disclose to third parties, and the categories of those third parties. According to the Attorney General, DoorDash did not provide this information.
- Not Offering an Opt-Out
Under the CCPA, businesses that sell consumers’ personal information must disclose that fact and provide a conspicuous way to opt out. “Selling” means more than just trading data for cash; it also includes giving access to personal data in exchange for “valuable consideration.” In this case, DoorDash was giving up its customers’ data in exchange for the opportunity to market to other companies’ customers, which is definitely a form of valuable consideration. The arrangement is therefore a sale of data, but DoorDash did not disclose it or offer a mechanism for consumers to opt out.
Key Takeaways for Other Businesses
While the Attorney General’s press release does not go into great detail about its investigation or DoorDash’s alleged violations, other businesses can still learn a few lessons about privacy compliance from the case.
- Participating in a marketing cooperative is definitely a sale of personal information
There wasn’t much doubt about this among privacy professionals, but the DoorDash settlement should nevertheless serve as a wake-up call to other companies that participate in marketing cooperatives and other similar arrangements. They should clearly disclose that they are selling personal information and provide a compliant opt-out to consumers.
- Businesses can’t rely on cure periods
The Attorney General’s statement that “violations cannot be cured” should put a lot of fear into the regulated community. While the CCPA initially included a mandatory 30-day cure period for alleged violations, that provision sunsetted on January 1, 2023. The state is under no obligation to do offer a cure period, and businesses should not be depending on it.
- The cost of violations goes beyond fines
Putting aside the $375,000 civil penalty, the money spent on attorneys’ fees, and all the time lost in responding to the investigation, this is still a blow to DoorDash. First, the terms of settlement require DoorDash to submit annual reports to the state related to any potential selling or sharing of personal information, which means the AG’s Office will be regularly evaluating the business with regard to data privacy. Second, and more importantly, it damages DoorDash’s credibility with its customers by shining a spotlight on the fact that it was selling their data, and now makes customers wonder what else they don’t know about.
Privacy Compliance Made Simple
The biggest obstacle businesses face in privacy compliance is not taking it seriously enough. Posting a generic privacy policy and assuming that authorities will automatically give businesses a chance to cure has become a high-risk strategy. The CCPA has been on the books for years, and the DoorDash case makes clear that state officials have run short on patience. The time for getting compliant is now, before an enforcement action disrupts your business and costs you hundreds of thousands of dollars in fines and legal fees.
TrueVault US simplifies privacy compliance across multiple state laws, so that businesses can handle it on their own. With an interface that is familiar to anyone who has done their own taxes online, TrueVault guides you through every step of the process, from onboarding vendors to handling privacy requests. As more states pass comprehensive privacy laws, they are added to your Privacy Center at no extra cost.
Contact our team to learn more and view a demo of how TrueVault works.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get compliant today
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo