On Feb. 21, 2024, California’s Attorney General (AG) announced the second public settlement of an enforcement action under the California Consumer Privacy Act (CCPA). This settlement requires DoorDash to pay a $375,000 civil penalty and comply with injunctive terms, which include submitting annual reports for the next three years regarding DoorDash’s compliance with the CCPA and the California Online Privacy Protection Act (CalOPPA) and reviewing DoorDash’s contracts with marketing and analytics vendors to evaluate whether it is selling or sharing personal information.
The complaint against DoorDash alleged that it participated in a marketing cooperative owned by KBM Group LLC (KBMG). DoorDash allegedly disclosed the names, addresses and transaction histories of its customers to KBMG in exchange for the opportunity to advertise its services, through KBMG, to the customers of other companies in the cooperative. The complaint also alleged that DoorDash did so without disclosing in its online privacy policy that it sold personal information, violating both the CCPA and CalOPPA, and without posting the “Do Not Sell My Personal Information” link on its website and mobile app as required by the CCPA.
The settlement serves as a reminder of the broad definition of “sale” under the CCPA and the AG’s interpretation of the term, which according to the complaint includes any sharing or disclosure of personal information to a third party “in exchange for a benefit.”
It is important to remember that most privacy laws do not prohibit the selling of personal information, which under the CCPA includes sharing it in exchange for money or “other valuable consideration.” Companies may continue to sell personal information, including for marketing and advertising, provided they comply with various notice, consent and opt-out requirements found in domestic and foreign privacy laws. Special considerations may apply to sensitive personal information, the personal information of children and consumer profiles created from personal information.
Companies should review their data flows to determine the purposes for any sharing of personal information with third parties and whether the company receives anything of value in return, such as advertising opportunities or preferred search results placement. This is particularly important for personal information collected from visitors to the company’s websites or mobile apps, which may share personal information with third parties automatically through cookies, pixels or other online trackers.
In addition to the notice, consent and opt-out requirements, companies should review their contracts that govern any sharing with any third parties. The CCPA contains specific contractual requirements that must be in place before sharing personal information, even where the sharing would not qualify as a “sale” under the CCPA. The recent enforcement action specifically referenced DoorDash’s failure to include restrictions on the resale of personal information in its contract with KBMG as well as the lack of audit controls that would have allowed DoorDash to discover additional third parties that may have purchased the information from KBMG or other members of the cooperative downstream.
The AG enforces the CCPA through its own online research (including reviewing companies’ online disclosures and opt-out procedures, cookies, and other web trackers) as well as by investigating consumer complaints. The DoorDash enforcement action referenced a consumer complaint regarding DoorDash in September 2020, which may have prompted the AG to send a notice of alleged CCPA noncompliance to DoorDash later that same month.
The AG has previously announced investigative sweeps for CCPA compliance that targeted employee personal information, children’s privacy and most recently streaming services. In the DoorDash settlement announcement, the AG stressed that CCPA violations “cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”
Separately, California’s Third District Court of Appeal ruled this month that the California Privacy Protection Agency, which is tasked with promulgating and enforcing CCPA regulations, may begin enforcement immediately. The AG and the California Privacy Protection Agency now have concurrent jurisdiction to enforce the CCPA going forward, and companies may expect to see an increase in enforcement actions as a result.
We will continue to monitor the latest developments in this ongoing legislative movement. Please reach out to the Kramer Levin privacy team for additional assistance.