On February 21, the California Attorney General (“AG”) announced a settlement with DoorDash, an online food delivery service, to resolve allegations that the company violated the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA) through its participation in a marketing cooperative. As part of its involvement in this arrangement, DoorDash provided consumer personal information to the cooperative in exchange for the ability to advertise to customers of other cooperative participants. The California AG alleged that this constituted a “sale” of personal information within the meaning of the CCPA, and that DoorDash failed to comply with the relevant legal requirements accompanying such sale (e.g., making appropriate privacy policy disclosures; posting a “Do Not Sell My Personal Information” link on its website and mobile app). The AG further alleged that DoorDash’s failure to disclose this sharing of personal information in its privacy policy constituted a violation of CalOPPA. As part of the settlement, DoorDash will be required to pay a monetary penalty of $375,000 and comply with various injunctive terms, including the development of a compliance program and annual reporting to the California AG.
This settlement marks the California AG’s second CCPA enforcement settlement, following an August 2022 settlement with Sephora. Further, this settlement comes on the heels of several “investigative sweeps” that the California AG has conducted over the past several months, including one (announced last month) targeted at streaming services and similar ones from last year that focused on such areas as employee and job applicant information and mobile applications. Taken together, these developments indicate a growing CCPA enforcement appetite on the part of the California AG, which means that companies processing California residents’ personal information should take extra care to ensure that their data processing activities comply with relevant legal requirements.
In this post, we identify key takeaways from the California AG’s privacy settlement with DoorDash. To stay up to date on the latest California privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
KEY TAKEAWAYS
1. Broad Conception of “Sale.” The CCPA defines a “sale” of personal information to include the disclosure of personal information “to a third party for monetary or other valuable consideration” (emphasis added). The DoorDash enforcement action demonstrates that the California AG takes the concept of non-monetary sales seriously. After all, nowhere in its complaint does the AG allege that DoorDash received direct monetary compensation for the consumer personal information it shared with the marketing cooperative. Rather, the complaint alleges that DoorDash received non-monetary consideration in exchange for that customer information — specifically, the “benefit of advertising to potential new customers.” Thus, businesses seeking to understand their compliance obligations under the CCPA should take care to assess whether any of their disclosures of personal information constitute “sales” within the meaning of the law, even if those disclosures are not made in exchange for a monetary payment.
2. Limited Ability to Cure. The AG’s complaint discusses how DoorDash allegedly failed to cure the CCPA violation caused by its disclosure of personal information to the marketing cooperative. What is notable about the AG’s analysis is that it seems to suggest that there was little that DoorDash could have done to cure its CCPA violation after the alleged sale took place. Though it acknowledges that there were “modest available steps” that DoorDash could have taken to “mitigate[] the harm” created by its violation (such as instructing the marketing cooperative not to sell DoorDash customers’ personal information or updating its privacy policy to inform its customers of the sale), the core of the company’s CCPA violation was essentially un-curable. This is because, as the complaint reasons:
The consumer personal information and inferences about DoorDash’s customers had already been sold downstream to other companies and beyond the marketing co-op’s members, including to a data broker that re-sold the data many times over. DoorDash also could not determine which downstream companies had received its data so that it could contact each company to request that it delete or stop further selling the data.
Thus, because it had essentially lost the ability to track where its customers’ personal information had been disclosed to, DoorDash could not “make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold,” and therefore could not cure its CCPA violation.
The ability of companies to cure their privacy law violations is no longer relevant for CCPA purposes, as that law’s cure period provision is no longer in effect as of January 1, 2023 (having been modified by the California Privacy Rights Act (CPRA)). However, the AG’s reasoning may be instructive for companies operating in states whose comprehensive privacy laws have active cure period provisions (such as Colorado, whose cure period provision will remain active until January 2025). Specifically, the DoorDash complaint should serve as a warning to companies to not simply anticipate that any privacy law violation can be resolved in a cure period. Rather, companies should take proactive steps to ensure that their data practices do not place them in a regulator’s crosshairs to begin with.
3. Privacy Policy Disclosures. Though it is hardly the first privacy enforcement action to make this point, the DoorDash settlement makes clear the need for companies to clearly and comprehensively describe their data-sharing practices in their privacy policies. In this case, the California AG acknowledged that DoorDash’s privacy policy “indicated that DoorDash could use DoorDash’s customer data to contact a customer with advertisements.” However, the policy failed to disclose “that other businesses—like marketing co-op members—could contact DoorDash customers with advertisements for their businesses” (emphasis added). This gap was sufficient in the California AG’s view to violate CalOPPA, which requires that businesses identify categories of third parties with which they share consumers’ personally identifiable information.
4. CalOPPA Enforcement. Though much of the recent discourse surrounding California privacy law enforcement has focused on the CCPA and CPRA, the California AG’s action against DoorDash makes clear that CalOPPA, which first took effect in 2004, remains an active, enforceable legal framework. As such, companies processing California residents’ personal information should ensure that their privacy policies satisfy the disclosure requirements outlined in that statute (even if they are not subject to the CCPA).
5. Injunctive Terms. The proposed stipulated judgment, which remains subject to court approval, would impose injunctive terms on DoorDash, in addition to the $375,000 monetary penalty. Specifically, the company would be required to establish a compliance program aimed at assessing whether it is selling or sharing consumer personal information and facilitating its adherence to legal requirements associated with such sale or sharing. Notably, as part of that program, the company would be required to document, among other things, its analysis of contracts with marketing and analytics vendors to determine whether it is selling or sharing personal information in the context of those relationships. DoorDash would then be required to provide annual reports to the California AG for three years that summarize its compliance program. Given California’s role as a national leader in privacy regulation, it is not unreasonable to expect that this settlement — specifically its provisions regarding analysis of vendor contracts — may serve as a model for settlements proposed by other states’ privacy regulators. Further, companies would be well-advised to proactively adopt this settlement’s contract-analysis provisions as a best practice, as such analysis is vital in helping companies to understand their compliance obligations under various privacy law frameworks.