DoorDash to pay fine for selling Californians’ customer data

Last-mile delivery company DoorDash has agreed to pay the state of California $375,000 to settle a case brought by California’s attorney general for illegally selling customer information in 2020.

California Attorney General Rob Bonta announced on Wednesday that the settlement resolves allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

A California Department of Justice investigation into the matter discovered that DoorDash sold customers’ personal information without providing notice or the chance for DoorDash users to opt out.

The sale of the information was part of DoorDash’s participation in a marketing cooperative that enables participants to share customer information and advertise to one another’s customers, according to Bonta.

DoorDash publicly acknowledged that it traded information on the cooperative but said it no longer participates in the group. 

Bonta said in a press release that the San Francisco-based delivery company’s participation in the cooperative violated customers’ rights under California’s privacy laws. 

“As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale,” Bonta said in a written statement. “I hope today’s settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”

DoorDash released its own statement, noting that it has not worked with marketing co-ops since 2020, and called the issue a “years-old-matter.”

“This settlement arises out of a single incident involving a vendor over four years ago, the same month the California Consumer Privacy Act went into effect, and the terms reflect our good faith and deep commitment to privacy,” the company said. 

DoorDash also noted that merchant and Dasher data was not shared, only “non-sensitive consumer information” such as name, address, and basic transaction information such as amount. “No personal information was shared,” the company said. 

In addition to the fine, DoorDash has agreed to comply with CCPA and CalOPPA, review contracts with marketing and analytics vendors to determine if they share or sell personal data, and provide annual reports to the AG’s office on any potential sale or sharing of customer data.