In its settlement order, the Attorney General focused on DoorDash’s sale and sharing of personal information in a marketing cooperative, finding that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt out of the sale of their personal information.  As described by the Attorney General, a marketing cooperative is “where at least two unrelated business entities contribute the personal information of consumers for the purpose of advertising their own products to consumers using personal information contributed by other participating business entities.”

As part of the settlement, DoorDash must pay a $375,000 civil penalty and confirm its compliance with the CCPA, and the California Online Privacy Protection Act. The settlement also requires DoorDash to review contracts with marketing and analytics vendors, and DoorDash’s use of technology to evaluate whether the company is “selling or sharing” consumer personal information. If the answer is yes, the company must clearly and conspicuously state that it sells or shares personal information in its privacy policy and just-in-time notices. DoorDash must also provide an annual certification to the California Attorney General affirming that it is complying with the judgment, summarizing its compliance program, and confirming whether it continues to participate in a marketing cooperative.

Although California continues to lead in shaping the interpretation of privacy regulations and what it means for business, many other state privacy laws also require transparency regarding how personal information is shared with third parties and the right to opt out of such sharing. 

The DoorDash settlement highlights the importance for companies to clearly disclose the sale and sharing of personal information in privacy disclosures, and to provide an opportunity for consumers to opt out of the transfer of their information (whether a sale or sharing) to marketing cooperatives. It also shows how important it is for companies to closely review and assess how they are sharing data with third parties on their websites and applications, and in the course of business. We encourage companies to confirm that there are compliant opt-out mechanisms in place, which should include an interactive privacy choice form and a “Do Not Sell or Share My Personal Information” link. 

The Constangy Cyber Team continues to monitor developments at the state, national, and international levels related to privacy laws and enforcement. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.