Privacy Lessons Learned from DoorDash

by Tatyana Ruderman and Dhara Shah

On February 21st, the California AG announced its second major enforcement action under the CCPA. This time, the CA AG focused in on the CCPA’s rules around sales of consumer data and requirements to provide notice and the ability to opt out of such practice. Specifically, claiming that DoorDash engaged in sales by participating in marketing cooperatives and failed to disclose this to consumers and provide the ability to opt out. 

The result was a settlement involving a $375,000 penalty as well as injunctive terms; however, its significance goes beyond its fines.

This settlement provides some much needed guidance to businesses by clarifying the AG’s interpretation of CCPA requirements. Here is what we know:

1)     Be Sure to Provide Clear Privacy Disclosures: Participating in a marketing cooperative will be considered a sale under CCPA — this is expected but the recent enforcement indicates that the AG is looking for this practice to be more specifically disclosed in privacy notices.

2)     Carefully Review Every Single DPA: The data sharing at the heart of the AG’s claims occurred in a single transfer — this teaches us that a single marketing agreement sneaking through the cracks can result in a significant settlement, ongoing regulatory oversight, and a PR nightmare. Covered businesses need to ensure all agreements involving personal data are carefully vetted to make sure they include required terms (this is actually part of the AG’s injunctive order with DoorDash).  

3)     Always Be Transparent: Marketing arrangements typically stay behind the scenes and can seem innocuous, but as we’ve seen in the news in recent years, practices can come to light in a way that is shocking and offensive to consumers. In DoorDash’s case, a consumer complained that they received mail advertisements to their home connected with an alias that was only used in connection with DoorDash (specifically because they sought to protect their privacy). 

4)     A Cure Period Doesn’t Always Mean a Cure is Possible: In the complaint, the AG alleged that because the marketing cooperative allowed data to be sold downstream to data brokers, DoorDash could not determine what companies to contact to have the data deleted or prevent further downstream selling — given this, the company could not make the consumers “whole” and could not cure the violation.

5)     Take Caution Going Forward: AG Bonta reinforced that violations can no longer be cured, and his office is committed to holding businesses accountable — this may indicate that, though there have only been a few major enforcement actions in CA, we can expect to see more this year (and it appears that the AG has now focused its investigatory gaze on streaming services).

Complying with a very young, complex, and hardly tested law is certainly not easy, and here at ILG we thrive in helping our clients interpret regulatory guidance and apply it to their compliance strategy in real-time. With the anticipated increase in enforcement, be sure to work with your legal teams to ensure you’re taking the necessary measures to stay up to speed with the constantly evolving privacy landscape.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.