It’s starting! Following 2022’s enforcement action with Sephora, the California Attorney General continues to crack down on violations of the California Consumer Privacy Act (CCPA). In only the attorney general’s (AG’s) second public settlement of an enforcement action under the CCPA, the AG announced a settlement with the billion-dollar food delivery service DoorDash. As the industry begins to see more privacy law enforcement, companies subject to the CCPA should pay close attention as these enforcements can strongly affect their bottom line. Privacy law violations can also often lead to costly class action litigation—with DoorDash yet to receive class action. In this latest example, the AG focused on the widespread practice of “licensing” personal information.
Failure to meet the requirements of CCPA may lead to fines of up to $7,500 for each intentional violation, meaning businesses may face up to millions of dollars in fines for repeated violations. The CCPA applies to for-profit organizations that conduct business in California, collect personal information from California consumers (including employees), and meet the following thresholds: (1) exceed $25 million in gross revenue in the preceding year, (2) buys, sells, or shares the personal information of 100,000 or more consumers or households, and (3) derives more than 50% or more of its annual revenue from selling or sharing consumers’ personal information.
“Delivering” a broader interpretation of sale
In September 2020, the California AG sent DoorDash a notice of CCPA noncompliance, stating that DoorDash was participating in marketing cooperatives through licensing agreements. Such cooperatives or “co-ops” allow unrelated businesses to share the personal information of their customers to advertise their own services to the customers of other participating businesses. In some situations, a “license agreement” is executed between business partners that wish to sell sensitive information. Here, DoorDash sent the personal information it collects (such as customers’ names, addresses, and transaction history) to the co-op for the opportunity to mail advertisements to customers of other participating businesses. Because the CCPA implies that a sale of data can go beyond what we traditionally think of as a sale—an exchange of a good or service for monetary consideration—the AG made clear that these types of co-ops are considered a “sale” under CCPA. Further, DoorDash failed to comply with the relevant legal requirements accompanying such a sale.
The CCPA requires businesses that sell or share consumers’ personal information to provide a clear and conspicuous link on their business homepage titled “Do Not Sell or Share My Personal Information” that will take the consumer to a proper opt-out of the sale or sharing of their personal information.
DoorDash's Historical CCPA Violations and Implications for Compliance
The notice gave DoorDash an opportunity to cure their violation within 30 days. However, given that DoorDash had no way to track what entities received the personal information it sold or to “undo” the sale of such information, DoorDash failed to cure their historical CCPA violations, as affected customers were not restored to their pre-violation status. Notably, the AG’s analysis seems to suggest that there was little DoorDash could do to actually cure its historical practices as they relate to the already sold personal information. Importantly, the ability for companies to cure their CCPA violations is no longer an option, as the California Privacy Rights Act amended the CCPA to remove the cure provision, effective January 1, 2023. DoorDash’s inability to cure this specific violation should be a warning to companies covered by other state privacy laws that still provide a cure period that not all violations are curable.
On February 21, 2024, through a proposed stipulated judgment, the AG announced a settlement with DoorDash, requiring DoorDash to pay a monetary penalty of $375,000 and comply with certain injunctive terms. The settlement terms are still subject to court approval. Under the proposed settlement, DoorDash must also provide notice at or before collection to its customers that it sells or shares personal information. DoorDash is also required to update its privacy policy to include a list of categories that detail the types of personal information they collected, sold, or shared about their consumers in the previous twelve months.
Additionally, DoorDash is required to explain in its privacy policy that consumers have the right to opt out of the sale and or sharing of their personal information. If a consumer exercises the right to opt out of the sale or sharing of their personal information, the business must comply with the consumer’s option and wait at least twelve months before making a request to sell or share again. Lastly, DoorDash is required to participate in a compliance program for three years post-decision and annually certify their compliance with the AG’s office for a period of three years as well.
Ready for more
After the announcement of this settlement, the AG revealed that as part of the efforts to enforce the CCPA, the AG’s office is undertaking an investigative sweep, focusing on streaming services compliance with the CCPA opt-out requirements related to the sale or sharing of personal information.
A warning and potential class action exposure
As we expect further investigations and enforcements from the AG’s office to continue, covered businesses should consider whether any disclosures of personal information could constitute a sale under the broad interpretation. Government enforcement is often followed by class action lawsuits against businesses that fail to meet the requirements of state privacy laws. And such risks multiply exponentially when the information is health-related.
When selling information subject to state or federal privacy laws, businesses must meet various standards, including CCPA’s requirements, to ensure that a website’s opt-out mechanisms are easy to navigate for visitors.
The DoorDash violations and settlement are great warnings for businesses to take the time to review their data collection and disclosure policies and platforms to ensure compliance with privacy laws, including the CCPA. Proactive attention to the CCPA can save time and money later on, and, as the DoorDash settlement shows, the AG is not afraid to pursue large companies to ensure compliance.
The cybersecurity and data privacy landscape is shifting quickly, challenging organizations to comply with new, complex regulatory requirements. If you have any questions regarding the DoorDash settlement and other privacy protection laws, contact the Nixon Peabody team today.