California Attorney General (AG) Rob Bonta reached a settlement with food delivery company DoorDash on 21 February — the second-ever enforcement action taken under the California Consumer Privacy Act (CCPA) since the law took effect in 2020.
Under a proposed order, DoorDash must pay a $375,000 civil penalty, enter into a three-year compliance programme, and report annually to the California AG.
Here are three key insights from DoorDash’s settlement and what it means for CCPA-covered businesses.
Sharing data with a marketing co-operative is “selling” personal information
DoorDash allegedly disclosed its customers’ personal information to a “marketing co-operative” without notifying consumers in its privacy notice or offering them an opt-out. AG Bonta deemed this disclosure of personal information to be a “sale” under the CCPA.
However, DoorDash appears not to have received any money for its customers’ personal information. Instead, the company earned “the opportunity to advertise its services” to customers of other participants in the co-op.
That is still a “sale” under the CCPA, as it involves exchanging personal information with a third party for “valuable consideration”.
“Any transaction under which a business receives a benefit for sharing consumer information can be a sale for purposes of the CCPA,” AG Bonta writes in his complaint against DoorDash.
DoorDash was therefore found to have broken the CCPA’s golden rule when selling personal information: Providing a “Do Not Sell My Personal Information” link to enable consumers to opt out.
Selling personal information requires a watertight contract
Providing notice isn’t the only requirement when selling personal information under the CCPA. Businesses must also put in place a contract with certain provisions set out at §1798.100.(d). Among other things, a contract between a business and a third party to which the business sells personal information must:
- Require the third party to comply with the relevant parts of the CCPA
- Require the third party to notify the business if it can no longer comply with the CCPA
- Grant the business a right to stop any unauthorised use of the personal information by the third party
DoorDash allegedly failed to put such provisions into its contract. So, when a consumer became aware that DoorDash had sold her personal information, the company was unable to determine the third parties to which the data had been resold, or to stop the ongoing resale of the consumer’s personal information.
The CCPA’s ‘notice and cure’ provision is not a ‘Get Out of Jail Free’ card
Like most other US privacy laws, the CCPA has a “notice and cure” provision. This allows (or, at the time of the DoorDash investigation, requires) authorities to give a suspected business the opportunity to put things right and avoid enforcement.
When notified of its suspected CCPA violation, DoorDash apparently did stop selling its customers’ personal information. But that was not enough to “cure” the violation according to the AG.
On this specific matter, “…state courts have interpreted ‘cure’ in other statutes to mean making consumers whole by restoring them to their pre-violation position,” AG Bonta said.
The problem came back to DoorDash’s contract with the marketing co-op. According to the AG, the company could not have stopped the ongoing processing of its customers’ personal information even if it had tried.
The aggrieved consumer’s personal information had reportedly been re-sold “many times over”. Because the contract did not give DoorDash any auditing rights, there was no obvious way for the company to even figure out who held the personal information.
Adapting to the new US privacy landscape
At least 15 US states have passed or enacted new privacy laws over the past two years.
Almost every new US privacy law since the CCPA includes some sort of “notice and cure” mechanism, from Virginia’s Consumer Data Protection Act (VCDPA) (which took effect last January) to New Hampshire’s Senate Bill 255 (which passed last month).
These provisions are beneficial for businesses accused of failing to meet their legal obligations in this new privacy landscape. But as the DoorDash case shows, businesses must be in a position to actually put things right.
While CCPA enforcement has been slow so far, a recent victory by the California Privacy Protection Agency (CPPA) means that the agency might start flexing its regulatory muscles imminently. The agency’s finalised regulations, covering 15 areas of CCPA compliance, are now enforceable—and enforceable rules in three further areas should follow soon.
HewardMills’ US privacy experts can help you understand which laws apply to your business and design a compliance programme that enables you to keep growing while respecting your customers’ personal information.