CCPA Disclosure Requirements Emphasized by California AG’s Settlement With DoorDash‎

Privacy & Cybersecurity Newsletter
April 2024

Enforcement of the California Consumer Privacy Act (“CCPA”)[1] continues to heat up with California Attorney General Rob Bonta’s office announcing its second public enforcement action, this time against delivery service provider DoorDash, Inc.[2]

As with the AG’s first enforcement action against beauty retailer Sephora,[3] the DoorDash resolution highlights the AG’s broad interpretation of the term “sale” under the CCPA and the AG’s aggressive enforcement of the statutory notice and opt-out requirements. DoorDash’s alleged participation in a marketing collective in which it exchanged the personal information of California consumers without providing the required disclosures and opt-out options led to a six-figure settlement with the California AG and additional injunctive penalties.

Businesses interacting with California consumers should review their privacy policies and marketing agreements to ensure that the applicable notices and disclosures are provided for all “sales” of personal information belonging to California consumers.

Exchanging Customer Information With Other Businesses For Marketing Purposes Is a “Sale” of Personal Information that Requires Disclosure Under Both the CCPA and CalOPPA

The AG’s settlement with DoorDash resolved allegations concerning DoorDash’s participation in two marketing co-operatives in which unrelated businesses exchanged personal information of their customers for purposes of advertising their own products to the other businesses’ customers.The AG claimed that DoorDash provided the co-ops with personal information of its California customers in exchange for the opportunity to send mailed advertisements to customers of other participating businesses.The AG found this exchange of information to be a “sale” of personal information under the CCPA.According to the AG, DoorDash violated the statute by not disclosing this exchange of personal information in its posted privacy policy and by failing to post a “Do Not Sell My Personal Information” link on its website and mobile application for customers to opt-out of this sale.The AG also alleged that DoorDash’s failure to disclose the sale of personal information in its posted privacy policy violated the California Online Privacy Protection Act of 2003 (“CalOPPA”)[4]. 

As part of its settlement with the AG, DoorDash must pay a $375,000 civil penalty and comply with certain injunctive terms, including: (1) complying with the CCPA and CalOPPA, (2) reviewing applicable vendor contracts and use of technology to evaluate if it is selling or sharing consumer personal information, and (3) providing annual reports to the AG concerning DoorDash’s potential sale or sharing of consumer personal information.

The AG emphasized “[t]his enforcement action underscores that sharing of customers’ personal information with a marketing cooperative is a sale within the meaning of the CCPA and that businesses can be exposed to liability under multiple California privacy laws for the same conduct.”[5]

The AG Is Concerned About the Impact on Consumers of Downstream Sales of Personal Information

The AG’s complaint states that it provided DoorDash notice of its alleged CCPA violations (a feature of the statute that has since been eliminated) and that DoorDash attempted to cure, including by ceasing its sale of customer information to the marketing co-ops and instructing the companies to delete its California customer data.However, the AG did not find the curative steps taken by DoorDash to be sufficient given that the personal information had already been sold downstream to companies beyond the marketing co-op members and therefore affected California consumers were not made whole.In the AG’s view, DoorDash could have taken additional steps to cure the alleged violations, including updating its privacy policy to disclose the prior sales of personal information and instructing the marketing co-op not to further sell its customers’ data. 

The AG’s rejection of DoorDash’s attempt to cure demonstrates its focus on harm to consumers. AG Rob Bonta emphasized his office’s dedication to protecting California consumers in its press release, stating:

As my office has stressed time and time again, businesses must disclose when they are selling personal information and offer Californians a way to opt out of that sale ….. I hope today’s [DoorDash] settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.

The AG Is Monitoring Online Consumer Privacy Complaints

Notably, the AG’s complaint against DoorDash describes online posts by a DoorDash customer complaining about receiving numerous mailed advertisements directed to an alias she had used solely for her DoorDash account, despite DoorDash not disclosing that it would share her personal information with these companies.The AG investigated the customer’s complaints and claims it discovered that her data “was shared many times over with a significant number of companies.” 

The AG’s reference to the customer’s online postings shows that the AG is taking consumer privacy complaints seriously and conducting investigations based on individual complaints.Businesses are well-served to monitor online privacy complaints and to take appropriate action where needed to ensure compliance with applicable privacy laws.


As the AG’s settlement with DoorDash highlights, the AG continues to interpret the CCPA with consumers in mind - including what constitutes a “sale” of personal information under the statute. Given the AG’s focus on the “real consequences” consumers suffer when their data is sold without their consent, businesses that share customer personal information as part of any marketing initiatives should urgently review their policies and procedures for CCPA compliance – especially now that the CCPA no longer provides for an opportunity to cure. The difficulty, if not impossibility, in clawing back customer information once it is sold downstream will almost certainly be factored into any penalties levied by the AG for similar violations.