DoorDash Coughs Up A Few Bucks After California Accuses It Of Spreading Around Customer Info

DoorDash will cough up $375,000 to settle claims it trampled California's privacy laws by giving away customers' info without their consent nor giving them the opportunity to opt out.

In addition to that paltry sum - for context, DoorDash's annual revenue in 2023 was nearly $9 billion [PDF] - the San Francisco-based food delivery app maker also agreed this month to review its technology and contracts with marketing and analytics vendors and confirm it's sharing or selling personal information legally. 

DoorDash also promised [PDF] to provide annual reports to the Golden State's attorney general about any such potential sale or sharing of personal data, and generally comply with the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

And, as usual with these types of crackdowns and settlements, DoorDash doesn't admit any guilt or liability.

The app giant, as part of its food delivery service, collects customers' names, addresses, and transaction history. According to prosecutors in California [PDF], the multinational was also a member of two marketing cooperatives, in which businesses contribute their customers' personal information and, in return, can advertise their products to each other's users.

"This is a sale of personal information under the CCPA," the US state's complaint alleged. 

California's landmark privacy law, which went into effect on January 1, 2020, requires businesses that sell personal information to not only disclose this practice, but also allow folks to opt out. Plus, it defines "sale" to include sharing this personal info with third parties in exchange for some benefit — in this case, being allowed to advertised DoorDash to other organizations' customers.

• Sephora to pay $1.2m to settle Cali privacy law claims – and why this is a big deal
• Cali puts mobile app makers on notice over privacy
• Now Oktapus gets access to some DoorDash customer info via phishing attack
• 'Scandal-plagued' data broker tracked visits to '600 Planned Parenthood locations'

Additionally, according to the prosecution's court filings, DoorDash "violated CalOPPA by failing to state in its posted privacy policy that it disclosed personally identifiable information, like a consumer's home address, to the marketing co-ops."

CalOPPA, which has been in effect since 2004, requires any business with a website that collects personally identifiable information to disclose, in its privacy policy, the types of third parties with which it shares these details.

In a statement to The Register, and posted on its website, DoorDash spokesperson Parker Dorrough said:

DoorDash also said it shared "basic consumer information" with the co-cops, and claimed the marketing co-op then shared the data "against our request."

This included "non-sensitive consumer information such as name, delivery address and basic transaction information such as the amount," according to the food service [non-sensitive? – ed.]. "The marketing co-op breached our contract and trust by failing to carry out our request to delete California customer data. When we learned about this, we took steps to ensure they deleted our customer data as requested."

California Attorney General Rob Bonta touted the settlement as a "wakeup call to businesses" and a reminder that they must give folks a way to opt out of the exchange of their personal data.

"The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law," Bonta said in a statement. "Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers' rights."

This is Bonta's second CCPA enforcement settlement. The first, in 2022, netted a $1.2 million check from global beauty retailer Sephora, whose parent LVMH recorded profits of €2.8 billion ($24.5 billion) in 2023.

In January 2023, the West Coast state's top attorney put retail, travel and food service apps on notice that his office would be targeting businesses that didn't follow Californian privacy laws. ®