California AG settles with DoorDash over selling consumer data without notice
The food delivery service company DoorDash settled charges with California's attorney general on Wednesday after state authorities alleged the company sold consumers’ personal information without notice and without giving them a chance to opt out, both violations of California’s strict consumer privacy law.
DoorDash allegedly participated in “marketing cooperatives” where it swapped its customers’ personal information — including names, addresses and transaction histories — with other businesses providing DoorDash with similar information in a bid to collectively increase their customer bases, according to Attorney General Rob Bonta.
“DoorDash’s participation in a marketing cooperative is a sale under the CCPA [California Consumer Privacy Act] and violates its customers’ rights under our landmark state privacy law,” Bonta said in a press release. “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law.”
The CCPA is the country’s strongest consumer privacy law and established a variety of consumer privacy rights and rules for businesses collecting and selling personal data. It took effect in 2020.
Parker Dorrough, a spokesperson for San Francisco-based DoorDash, said the company stopped engaging with marketing cooperatives in 2020.
“We’re pleased to have resolved this years-old matter,” Dorrough said in a statement. “This settlement arises out of a single incident involving a vendor over four years ago, the same month the California Consumer Privacy Act went into effect, and the terms reflect our good faith and deep commitment to privacy.”
As part of the settlement DoorDash will pay a $375,000 civil penalty, review agreements with vendors to assess if customer information is being sold or shared, and provide annual reports to Bonta’s office disclosing any potential sale or sharing of consumer’s personal information.
The DoorDash agreement is Bonta’s second CCPA enforcement settlement. In August 2022, Bonta settled with the cosmetics retailer Sephora after alleging that the company did not tell consumers it was selling their personal information and did not process customer opt-out requests.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.