DoorDash logo close-up on website showing privacy violations under CCPA enforcement

California AG Finds Privacy Violations in DoorDash Suit, $375,000 CCPA Enforcement Settlement Announced

DoorDash has settled an ongoing investigation by the California Department of Justice after Attorney General Rob Bonta announced the company had committed privacy violations under the terms of the California Consumer Privacy Act (CCPA). In addition to paying a $375,000 civil fine, the food delivery giant will be subject to additional CCPA enforcement terms going forward.

The case involves DoorDash sending the personal information of its users off to third party marketing firms in 2020, just after the CCPA had come into effect. DoorDash had argued that it was not in violation of the law and thus did not cure the privacy violations, which now date back over four years.

California AG finds DoorDash committed privacy violations in data sharing with marketing cooperatives

The case hinges on DoorDash’s participation in two so-called “marketing cooperatives,” in which groups of businesses agree to provide customer personal information to each other. The hope by these associations was that the then-emerging California digital privacy law would not view such transactions as a “sale” (even though money was not necessarily being directly exchanged on each transaction). California Attorney General Rob Bonta has now made clear that the exchanges these organizations engage in are in fact a sale and subject to CCPA enforcement if applicable transparency and data handling rules are not followed.

The state investigation found that privacy violations did indeed take place as DoorDash failed to give its users notice or opportunity to opt out of these sales. DoorDash was additionally found in violation of the California Online Privacy Protection Act (CalOPPA) by failing to note in its privacy policy that personally identifiable consumer contact information might be provided to marketing partners in these transactions.

The CCPA enforcement settlement consists of the $375,000 fine along with some ongoing injunctive terms. In addition to its ongoing compliance with the general terms of the CCPA and CalOPPA, DoorDash will have to conduct a review of its marketing and analytics vendors to determine if any further privacy violations of this nature might be taking place. It will also be required to report to the Attorney General annually on potential sale or sharing of consumer personal information for at least three years.

CCPA enforcement decision highlights unique terms of California digital privacy law

Six states now have comprehensive data privacy laws active, and seven more will have them coming online within the next three years. But only some of these require that organizations provide a “do not sell my data” opt-out link to consumers. California is unique thus far in establishing that the scope of “valuable consideration” in the wording of its law includes sharing for marketing purposes with “data partners” without a direct exchange of money for the information; any types of sharing that lead to monetary gain in some way may qualify as privacy violations under this interpretation.

The action against DoorDash comes as part of a sweep of CCPA enforcement that began about a month ago and has also included numerous streaming services. But actions of this sort are not new in the state, with the AG similarly fining cosmetics giant Sephora in 2022 over failure to notify users of data sales and properly process opt-out requests.

DoorDash reportedly shared customer names, addresses and transaction histories with business partners looking for new marketing prospects. However, a statement from the company claimed that it shared only “basic” information with these partners and that it was re-shared “against (its) request.” It claimed that shared transaction histories were limited to the amount spent per transaction.

DoorDash has not faced prior regulation in terms of privacy violations of this nature or CCPA enforcement, but did suffer a major data breach in 2022 that involved both its customers and drivers. Both groups had contact information exposed to hackers, but customers also had partial payment card numbers stolen in the breach. However, that breach ended up being the result of successful phishing of one of the company’s third-party vendors. That incident was believed to be part of a spree by hacking group 0ktapus that ultimately included Twilio, LastPass, Signal and others.

Prior CCPA enforcement actions have included a $93 million settlement with Google involving its use of location data, an $8.69 million settlement with health insurance giant Anthem, and a $250,000 settlement with fertility tracking app Glow. However, there have been only a relative handful of cases of privacy violations brought thus far given that the law is now over four years old, and all of the cases with financial penalties thus far have ended in settlements. The amended CPRA additions to the law went into effect in 2023, and it remains to be seen if these expanded protections of personal information will lead to a higher rate of action in the near future.