California Attorney Rob Bonta recently announced a $375,000 settlement with DoorDash over alleged violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The Attorney General’s allegations centered around the food-delivery company’s sharing of consumers’ personal data with a marketing cooperative, which amounted to “selling” information under the CCPA.

“I hope today’s settlement serves as a wakeup call to businesses,” said Mr. Bonta. “The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”

What Did DoorDash Do Wrong?

At the heart of the allegations is DoorDash’s participation in a “marketing cooperative.” A marketing cooperative allows participating companies to advertise to each other’s customers. For example, the owner of a gym may want to reach the customers of a company that sells yoga pants, or vice versa. In exchange for this opportunity, each member gives the cooperative access to its customer data, and the cooperative acts as a data broker.

There is nothing inherently illegal about participating in a marketing cooperative. What got DoorDash into trouble was its (alleged) failure to do two things: (1) Disclose the fact of its participation in the marketing cooperative, and (2) offer consumers a way to opt out.

• Failure to Disclose
  Both the CCPA and CalOPPA require businesses to include in their privacy policy the categories of personal information that they disclose to third parties, and the categories of those third parties. According to the Attorney General, DoorDash did not provide this information.

• Not Offering an Opt-Out
  Under the CCPA, businesses that sell consumers’ personal information must disclose that fact and provide a conspicuous way to opt out. “Selling” means more than just trading data for cash; it also includes giving access to personal data in exchange for “valuable consideration.” In this case, DoorDash was giving up its customers’ data in exchange for the opportunity to market to other companies’ customers, which is definitely a form of valuable consideration. The arrangement is therefore a sale of data, but DoorDash did not disclose it or offer a mechanism for consumers to opt out.

Key Takeaways for Other Businesses

While the Attorney General’s press release does not go into great detail about its investigation or DoorDash’s alleged violations, other businesses can still learn a few lessons about privacy compliance from the case.

• Participating in a marketing cooperative is definitely a sale of personal information
  There wasn’t much doubt about this among privacy professionals, but the DoorDash settlement should nevertheless serve as a wake-up call to other companies that participate in marketing cooperatives and other similar arrangements. They should clearly disclose that they are selling personal information and provide a compliant opt-out to consumers.

• Businesses can’t rely on cure periods
  The Attorney General’s statement that “violations cannot be cured” should put a lot of fear into the regulated community. While the CCPA initially included a mandatory 30-day cure period for alleged violations, that provision sunsetted on January 1, 2023. The state is under no obligation to do offer a cure period, and businesses should not be depending on it.

• The cost of violations goes beyond fines
  Putting aside the $375,000 civil penalty, the money spent on attorneys’ fees, and all the time lost in responding to the investigation, this is still a blow to DoorDash. First, the terms of settlement require DoorDash to submit annual reports to the state related to any potential selling or sharing of personal information, which means the AG’s Office will be regularly evaluating the business with regard to data privacy. Second, and more importantly, it damages DoorDash’s credibility with its customers by shining a spotlight on the fact that it was selling their data, and now makes customers wonder what else they don’t know about.

‍