Privacy Insider Newsletter | Data Privacy News Delivered Weekly

DoorDash Hit With CCPA Enforcement Action

Written by Arlo Gilbert | Feb 29, 2024 2:15:00 PM

Hello all, and happy Thursday!  

Big news at Osano! We have a new role for a Senior Privacy Program Manager. This role is perfect for someone who has experience consulting and helping customers build effective, fully-automated privacy processes. If you think you would be a good fit, you can learn more and apply here. 

There’s also big news happening in the broader world of data privacy. 

Last week, our newsletter’s intro discussed how California regulators were signaling that they intended to ramp up enforcement in 2024. The ink wasn’t even dry before that proved to be the case.In what is the second-ever enforcement action of the California Consumer Privacy Act (CCPA), California Attorney General Rob Bonta has announced his office’s action against DoorDash. 

You may remember the Sephora enforcement action, in which the makeup retailer was hit with a $1.2 million penalty. This action features some of the same violations. Specifically, DoorDash was penalized for selling California customers' personal information as part of a marketing cooperative without providing notice or an opportunity to opt out of that sale. 

 This marketing cooperative allowed participating businesses to contribute their customers’ personal information and, in exchange, enabled the businesses to advertise products to each others’ customers. As a result, DoorDash:  

  • Received a $375K fine. 
  • Was ordered to comply with the CCPA and CalOPPA (the California Online Privacy Protection Act). 
  • Must review its contracts with marketing and analytics vendors and its use of technology when selling/sharing consumer personal information. 
  • Must provide annual reports to the attorney general. 

Here’s what AG Bonta had to say in a press release: 

“DoorDash’s participation in a marketing cooperative is a sale under the CCPA and violates its customers’ rights under our landmark state privacy law. As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale. I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.” 

Stern stuff! You can find the link to the press release in this week’s privacy stories. 

Best, 

Arlo 


Top Privacy Stories of the Week

Vending Machine Error Reveals Secret Face Image Database of College Students 

Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting facial-recognition data without their consent. 

Read more 

Protecting Kids Online: Changes in California, Connecticut, and Congress 

Protection for minors online continues to top the list of U.S. regulatory and legislative priorities in 2024. So far in 2024, California legislators introduced several bills focused on minors, Congress held hearings and advanced federal legislation protecting minors online, Congress and the Federal Trade Commission (FTC) have signaled a desire to update the Children’s Online Privacy Protection Act (COPPA), and more. 

Read more 

California Privacy Protection Agency (CPPA) Publishes Draft Regulations on Risk Assessments, Automated Decision-Making 

The CPPA recently published draft regulations on the few outstanding concerns in the CPRA, namely risk assessments and automated decision-making technologies. The CPPA will hold a public meeting to discuss these regulations on March 8th. 

Read more  

FTC Order Bans Avast from Selling Browsing Data for Advertising Purposes 

The FTC will require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes. The penalty comes after a complaint that Avast unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent.  

Read more 

Attorney General Bonta Announces Settlement with DoorDash Over CCPA and CalOPPA Violations 

California Attorney General Rob Bonta recently announced a settlement with DoorDash, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). Specifically, an investigation discovered that DoorDash sold customer personal information without providing notice or an opportunity to opt out. 

Read more 

Osano Blog: What Is Preference Management and How Does It Differ From Consent Management? 

Consumers want and deserve control over their experience with your organization. Consent management is just one half of the coin, though—find out what preference management is, and how it overlaps with consent management in this blog. 

Read more 

If you’re interested in working at Osano, check out our Careers page