Data Privacy Hub

California AG Rob Bonta announced today that DoorDash had settled with the California Privacy Protection Agency over previous violations of the state's data privacy law, the California Consumer Privacy Act, for $375,000.

The violations occurred in 2020 as part of a marketing co-op where DoorDash shared the personal data of customers without consent or transparent notice the transfer of data was happening. Under CCPA's do not sell/share requirements, this equated to the sale of data, and DoorDash did not cure the violation.

As part of the settlement, DoorDash must now comply with several strict injunctive terms, including, per the press release:

•  Comply with CCPA and CalOPPA, including requirements that apply to businesses that sell personal information.

•  Review contracts with marketing and analytics vendors and use of technology to evaluate if it is selling or sharing consumer personal information.

•  Provide annual reports to the Attorney General that monitors any potential sale or sharing of consumer personal information.

Of particular note, while DoorDash had the opportunity to cure this violation several years ago, they were only able to potentially do so because the CCPA was newly enacted. Bonta declared today, “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”