The Case Overview
On February 21, 2024, DoorDash agreed to a $375,000 settlement, exposing critical vulnerabilities in how businesses handle and share consumer personal information.
Key Violations
DoorDash was found to have:
- Sold customer personal information without proper notice
- Failed to provide opt-out opportunities
- Participated in marketing cooperatives that improperly shared data
- Disclosed customer data to non-cooperative businesses
- Allowed data broker to resell customer information multiple times
Official Case Documents
- Press Release: California Attorney General Announcement
- Complaint: Full Legal Complaint
- Stipulated Judgment: Settlement Details
Financial and Legal Implications
- Total Settlement: $375,000
- Violations of California Consumer Privacy Act (CCPA)
- Violations of California Online Privacy Protection Act (CalOPPA)
- Significant penalties for unauthorized data sharing
Key Compliance Requirements
DoorDash was required to:
- Review contracts with marketing and analytics vendors
- Implement technology to evaluate data selling/sharing
- Provide annual reports monitoring potential data sales
- Develop more transparent data sharing practices
Broader Context
The case highlighted:
- Risks of participating in marketing cooperatives
- Complexities of data sharing in digital platforms
- Importance of clear consumer data notifications
- Challenges of controlling data beyond initial collection
Key Takeaways
- Marketing data sharing requires explicit consent
- Businesses must carefully manage vendor relationships
- Transparency is critical in data ecosystem
- Third-party data brokers pose significant risks