By David Estrada
Regulatory Compliance Specialist
In a digital age where privacy is paramount, California Attorney General Rob Bonta is wielding his legal arsenal to safeguard consumer data integrity. His latest target? DoorDash. A recent settlement reveals the food delivery giant’s alleged mishandling of Californians’ personal information, underscoring the ever-growing scrutiny on data privacy practices.
Attorney General Bonta unveiled a settlement with DoorDash to resolve accusations of violating the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). An investigation by the California Department of Justice concluded that DoorDash had sold personal information of its California users without adequate notification or the opportunity to opt out, in violation of both privacy laws.
What is particularly interesting in this case is that DoorDash’s data sharing occurred within the framework of a marketing cooperative, or “co-op”, wherein DoorDash allegedly exchanged customer data for promotional purposes. This move by the California AG signals that such participation in a marketing cooperative (even if no monetary value is received in exchange for consumer data) constitutes a “sale of personal information under the CCPA.” Here, the benefits conferred to Doordash in the form of promotional advertising in exchange for their consumers’ data constitute “valuable consideration.” Ultimately, The AG’s office emphasized that DoorDash’s involvement in the marketing cooperative constituted a sale under the CCPA, infringing upon consumers’ privacy rights in the process.
Another key takeaway from the AG’s complaint is that they first provided DoorDash with a notice of noncompliance and opportunity to cure as far back as 2020. The AG cites court interpretations of “cure” meaning “making consumers whole by restoring them to [a] pre-violation position.” The AG subsequently commenced this action against DoorDash on the premise that DoorDash failed to cure their noncompliance because consumer data had already been shared with the marketing cooperative and it was also later resold by downstream data brokers. In short: once data flows downstream, you can’t unring the bell. This is precisely why dealers must be proactive in reviewing their data sharing practices and use a compliant consumer consent tool, such as a cookie banner.
As part of the settlement, DoorDash is subject to a $375,000 civil penalty and is bound by stringent injunctive measures. These measures require DoorDash to adhere to CCPA and CalOPPA regulations, reassess agreements with marketing vendors, and furnish annual reports to the Attorney General detailing any potential sale or sharing of consumer personal information.
Why is this Important?
Certain dealer activities that could be considered as participating in a marketing “co-op” would be programs such as FordPass, or other similar OEM-driven programs in which online leads from the dealer’s website are passed to OEMs and then used for their own or joint advertising efforts. Dealers would do well by reviewing their participation in marketing cooperatives to determine if any similar arrangements exist. If they are, dealers should ensure that they’re following procedures for opting customers out and that those procedures are effective at stopping the sharing with the OEM.
This enforcement action underscores the importance for businesses to comply with state privacy laws. It also highlights that sharing consumer data with marketing cooperatives falls within the purview of the CCPA’s definition of a sale, potentially rendering businesses liable under multiple privacy statutes. Moreover, it aligns with ongoing efforts by Attorney General Bonta to enforce the CCPA, including investigative sweeps targeting businesses’ adherence to opt-out requirements for consumer data sales.
Current State of California Privacy
The settlement builds upon prior enforcement endeavors, such as the August 2022 settlement with Sephora for comparable CCPA violations. In addition to enforcement action against DoorDash, 2024 has already proved to be a trying year for California businesses attempting to comply with state privacy regulations. A recent decision by the California Court of Appeal has overturned a previous ruling that delayed the implementing regulations and enforcement of the California Privacy Rights Act (CPRA) until March 29, 2024. As a result, the CPRA is effective immediately.
Despite being in a holding pattern for about a year, the California Privacy Protection Agency (CPPA) is now poised to enforce the CPRA without further delay. Michael Macko, deputy director for enforcement for the CPPA, emphasized their readiness to begin enforcement, stating, “We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here.” Both California dealers and dealers in neighboring states should ensure that their consumer data privacy practices are prepared to undergo scrutiny given the CPPA’s willingness to immediately enforce the CPRA.
Questions?
While this may seem like grim news, the great news is that ComplyAuto has you covered! By staying a step ahead of the curve, our privacy tools are already CPRA-compliant. You can view the AG’s complaint against DoorDash here. For more information, contact us at info@complyauto.com.
