The California Attorney General (“AG”) recently delivered (pun very much intended) a public CCPA enforcement action against DoorDash, its second following the 2022 settlement with Sephora. The DoorDash action stems from a notice of violation alleging that DoorDash’s personal information disclosures to a marketing co-op constituted a “sale” under the CCPA and that DoorDash failed to comply with CCPA “sale” opt-out and disclosure requirements. The complaint also asserted violations of CalOPPA, California’s 2004 website privacy policy law.

A proposed stipulated judgment would require DoorDash to:

• Pay a $375,000 penalty,
• Update its privacy policy and notice at collection to address data sales,
• Review marketing and vendor contracts to determine whether it is “selling” personal information or sharing personal information for cross-context behavioral advertising, and
• Provide annual reports to the AG regarding personal information “sales” and sharing for cross-context behavioral advertising.

This post offers tips (again, pun intended) for privacy lawyers and professionals from the DoorDash action.

1. AG emphasizes the breadth of the CCPA “sale” definition.

According to the AG’s complaint, DoorDash disclosed consumer names, addresses, and order histories to a “marketing co-op” in which unrelated businesses contribute the personal information of their customers in order to advertise their products to other participating businesses’ customers. Thus, DoorDash did not receive any monetary payments for data it disclosed, but did receive the ability to advertise directly to other co-op participants’ customers.

The California AG alleged these disclosures to the co-op constituted a “sale,” under CCPA, because the opportunity to advertise to other co-op participants’ customers constituted “other valuable consideration” under the CCPA’s “sale” definition. DoorDash violated the CCPA because it did not treat these co-op disclosures as “sales” in its privacy disclosures or offer California consumers an opportunity to opt-out.

The AG’s interpretation of the term “sale” under CCPA emphasizes that businesses should be overinclusive as to whether particular disclosures fall with the scope of that term. Disclosing personal information to receive services, obtain discounts, access other information, or receive other nonmonetary benefits should be treated as “sales” in many cases.

The case also highlights the need to ensure that opt-out mechanisms function effectively across different “sale” contexts. For example, a business that “sells” information via online cookies and also engages in offline disclosures like those at issue in DoorDash will need to integrate multiple work flows to offer consumers a single global “sale” opt-out as required by CCPA.

2. Where there is a right to cure, “selling” personal information without valid notices and opt-outs may still be incurable.

The AG’s compliant also discusses whether DoorDash cured the violations because, prior to the CPRA taking effect, the CCPA allowed businesses an opportunity to cure violations within 30 days of receiving notice from the AG.

According to the complaint, however, any “cure” for an unlawful “sale” under CCPA must restore affected consumers “to the same position they would have been in if their data had never been sold.” While DoorDash stopped disclosing information to the co-op following its receipt of the notice of violation from the AG, that action could not cure the violation because the co-op had already resold DoorDash customer information to data brokers and other downstream third party recipients. The AG further observed that DoorDash did not have contractual rights to exercise oversight over the co-op’s downstream disclosures and that the company did not take any other steps that may have mitigated the impact to consumers, like instructing the co-op to stop selling information DoorDash disclosed.

While it’s true that the CPRA eliminated the CCPA’s cure period, the AG’s discussion of this point could still be relevant to other recently adopted state privacy laws that do contain a cure period. Organizations “selling” information should therefore consider contracting for continuing oversight rights, like those required by the CCPA for “third parties,” over all “sold” personal information regardless of geography or which laws apply.

3. Focus on the fundamentals keeping privacy disclosures accurate and comprehensive.

The complaint also alleged that DoorDash violated CalOPPA by failing to disclose its participation in marketing co-ops generally in its privacy policy. To that end, the complaint alleges that DoorDash’s privacy policy only disclosed that it would use consumer information for DoorDash to advertise to DoorDash customers, not that the information would also be disclosed to other businesses to advertise to them.

The AG’s inclusion of a CalOPPA claim in the DoorDash complaint emphasizes the fundamental importance of accuracy and comprehensiveness in privacy policies. Disclosing DoorDash’s participation in marketing co-ops, and uses and disclosures of personal information that would result from that participation, in DoorDash’s privacy policy could have eliminated a separate enforcement claim. Organizations should therefore remain mindful of laws, like CalOPPA, that require accurate and comprehensive foundational descriptions of personal information collection and processing, separate and apart from more detailed disclosures that are often required under emerging privacy laws like CCPA.

* * * *

CCPA enforcement risk will continue following the DoorDash enforcement action, especially for businesses implicated in the AG’s recent announcements of enforcement sweeps aimed at employers and streaming services. And that risk is all the more significant since the CPRA’s elimination of the 30-day cure period as an AG enforcement prerequisite.