California AG announces second settlement action under CCPA

Constangy, Brooks, Smith & Prophete, LLP
Contact

Constangy, Brooks, Smith & Prophete, LLP

Last week, the California Attorney General announced its second-ever settlement under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. The settlement was with the online food ordering and delivery platform DoorDash.

In its settlement order, the Attorney General focused on DoorDash’s sale and sharing of personal information in a marketing cooperative, finding that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt out of the sale of their personal information.  As described by the Attorney General, a marketing cooperative is “where at least two unrelated business entities contribute the personal information of consumers for the purpose of advertising their own products to consumers using personal information contributed by other participating business entities.”

As part of the settlement, DoorDash must pay a $375,000 civil penalty and confirm its compliance with the CCPA, and the California Online Privacy Protection Act. The settlement also requires DoorDash to review contracts with marketing and analytics vendors, and DoorDash’s use of technology to evaluate whether the company is “selling or sharing” consumer personal information. If the answer is yes, the company must clearly and conspicuously state that it sells or shares personal information in its privacy policy and just-in-time notices. DoorDash must also provide an annual certification to the California Attorney General affirming that it is complying with the judgment, summarizing its compliance program, and confirming whether it continues to participate in a marketing cooperative.

Although California continues to lead in shaping the interpretation of privacy regulations and what it means for business, many other state privacy laws also require transparency regarding how personal information is shared with third parties and the right to opt out of such sharing. 

The DoorDash settlement highlights the importance for companies to clearly disclose the sale and sharing of personal information in privacy disclosures, and to provide an opportunity for consumers to opt out of the transfer of their information (whether a sale or sharing) to marketing cooperatives. It also shows how important it is for companies to closely review and assess how they are sharing data with third parties on their websites and applications, and in the course of business. We encourage companies to confirm that there are compliant opt-out mechanisms in place, which should include an interactive privacy choice form and a “Do Not Sell or Share My Personal Information” link. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Constangy, Brooks, Smith & Prophete, LLP | Attorney Advertising

Written by:

Constangy, Brooks, Smith & Prophete, LLP
Contact
more
less

Constangy, Brooks, Smith & Prophete, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide