DoorDash, Inc. recently settled with the California Attorney General for alleged violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). This is only the second public settlement with the California AG’s office for claims related to CCPA violations (the first was with Sephora in 2022).

The AG’s complaint stated that DoorDash sold California consumers’ personal information (names, addresses, and transaction histories) as part of its participation in a couple of marketing co-ops that began in 2018. The sale of personal information is not prohibited by the CCPA, but if a business engages in such sales, it must notify consumers of that sale and provide them with the opportunity to opt-out of such sales. The AG’s complaint alleged that DoorDash did neither.

The marketing co-ops that DoorDash participated in would combine consumer data that had been independently collected in exchange for the opportunity to re-target to the other co-op members’ customers. The complaint outlined the fact that under the CCPA, this act is considered a sale because a “sale” does not require the exchange of funds but could be an exchange for “other valuable consideration.”

Additionally, the data was also shared with parties external to the co-op; the data was sold to those external parties who then also sold the data.

To further support the AG’s claims that DoorDash violated consumer protection laws, the AG alerted DoorDash to these potential issues in September 2020. DoorDash responded to the notice from the AG stating that it had stopped selling the data and instructed the co-op participants to delete all California consumer data. However, the AG found that DoorDash did not cure the January 2020 sale of data “because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold.”

In the complaint, the AG faulted DoorDash for losing track of the data and also for engaging in a marketing co-op agreement that did not allow DoorDash to audit the sale of the data to third parties or restrict the co-op owner from making sales of the data. Lastly, the AG alleged that DoorDash did not update its website privacy policy to disclose that it sold consumer data within the prior year.

To settle these alleged violations, DoorDash has agreed to pay a $375,000 penalty and implement a CCPA and CalOPPA compliance program. DoorDash will also have to provide annual certification of compliance for three years. 

With a settlement like this, businesses may want to assess their practices around disclosures of consumer data and take a look at their website privacy policies to confirm that those practices are clearly articulated and transparent.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.