Attorney General Bonta Announces Settlement with DoorDash, Investigation Finds Company Violated Multiple Consumer Privacy Laws

OAKLAND — California Attorney General Rob Bonta today announced a settlement with DoorDash, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The investigation by the California Department of Justice found that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt out of that sale in violation of both the CCPA and CalOPPA. The sale occurred in connection with DoorDash’s participation in a marketing cooperative, where businesses contribute the personal information of their customers in exchange for the opportunity to advertise their products to each other’s customers. 

“DoorDash’s participation in a marketing cooperative is a sale under the CCPA and violates its customers’ rights under our landmark state privacy law. As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale,” said Attorney General Bonta. “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”

DoorDash is a San Francisco-based company that operates a website and mobile app through which consumers may order food delivery. In order to reach new customers, DoorDash participated in marketing cooperatives and disclosed consumer personal information as part of its membership in the cooperatives. In January 2020, the first month that the CCPA was in effect, DoorDash traded personal information – including names, addresses, and transaction histories – of California consumers to a marketing cooperative in a single transfer so that it could market its services to the customers of the other participating businesses. The other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers. 

Today’s enforcement action alleges that this was a sale of personal information under the CCPA, that DoorDash violated the CCPA’s requirements for businesses that sell personal data, and that it failed to cure these violations. The complaint also alleges that DoorDash violated CalOPPA by failing to state in its posted privacy policy that it disclosed personally identifiable information, like a consumer’s home address, to the marketing cooperatives. Marketing cooperatives enable businesses to trade personal information, which can lead to the widespread dissemination of private consumer data, including to data brokers and other companies that are not members of the marketing cooperative.

As part of the settlement, DoorDash will pay a $375,000 civil penalty and comply with strong injunctive terms. Specifically, DoorDash must:

•  Comply with CCPA and CalOPPA, including requirements that apply to businesses that sell personal information.

•  Review contracts with marketing and analytics vendors and use of technology to evaluate if it is selling or sharing consumer personal information.

•  Provide annual reports to the Attorney General that monitors any potential sale or sharing of consumer personal information.

Today’s settlement with DoorDash marks Attorney General Bonta’s second CCPA enforcement settlement. This enforcement action underscores that sharing of customers’ personal information with a marketing cooperative is a sale within the meaning of the CCPA and that businesses can be exposed to liability under multiple California privacy laws for the same conduct. 

As part of ongoing efforts to enforce the CCPA, Attorney General Bonta last month announced an investigative sweep, and sent letters to businesses with popular streaming apps and devices alleging that they fail to comply with the CCPA. The sweep focused on the compliance of streaming services with CCPA’s opt-out requirements for businesses that sell or share consumer personal information, including those that do not offer an easy mechanism for consumers who want to stop the sale of their data. Attorney General Bonta has previously conducted investigative sweeps related to employee information and children’s privacy. In August 2022, the Attorney General announced a settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA. 

For more information about the CCPA, visit www.oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at www.oag.ca.gov/report.

A copy of the complaint and proposed stipulated judgment, which details the aforementioned settlement terms and remains subject to court approval, can be found here and here.