Doordash Must Pay $375,000 Fine for CCPA Violation Following Amended Regulations 

The California Consumer Privacy Act’s (CCPA) amended regulations went into effect at the beginning of February, and DoorDash’s civil settlement uncovers challenging privacy terrain ahead for the ad tech industry. 

On Friday, February 9, the California Third District Court of Appeal ruled that key provisions of CCPA, as amended, are now enforceable. This ruling marks a significant victory for the privacy regulation, allowing for immediate enforcement of these updated regulations.

The state agency emphasizes that the ruling has reinstated the CPPA’s complete enforcement powers, ushering in a fresh phase of privacy act enforcement. “This decision should prompt the regulated community to review their privacy practices promptly to ensure compliance with all our regulations,” warned the state agency in a press release announcing the ruling.

With this new set of consumer and employee data rulings added to the CCPA, the privacy watchdog is sniffing around publishers and advertisers for any data ethics infractions. Everyone must be on their p’s and q’s with their data compliance practices. 

Yet, somehow, Doordash fell victim to CCPA and has been ordered to pay a $375,000 civil penalty and comply with CCPA and the California Online Privacy Protection Act (CalOPPA).

The Amendments to Consumer and Employee Data Compliance

California’s ruling impacts regulations concerning consumer and employee data. It encompasses several critical aspects of the amended act: transparency mandates, compliance with privacy rights requests, obligations for service providers and third parties, management of children’s and teens’ data, training, and record-keeping. 

With businesses under stricter scrutiny, publishers, advertisers, and ad tech firms are wrestling with fresh compliance duties after the California Privacy Protection Agency’s (CPRA) implementation. They must consider consumers’ right to opt out of targeted advertising and limitations on processing sensitive personal data. 

In addition, the CPRA‘s updated definition of business purpose places ad tech companies in a critical position.. It specifically excludes cross-context behavioral advertising from the activities that qualify recipients as service providers, consequently imposing stricter compliance obligations on them as either third parties or businesses.

The reclassification necessitates service providers to transition to third parties, which means they must renegotiate business contracts to align with CPRA stipulations. These agreements impose restrictions on third parties regarding combining personal information for analytics and mandate clear privacy disclosures and consumer opt-out options. 

Companies must meet specific criteria to qualify as businesses under the CPRA framework, including revenue thresholds and data handling practices.

How Did Doordash Fall Prey to CCPA’s Regulations? 

An investigation by the California Department of Justice revealed that DoorDash sold its California consumer’s personal information, including names, addresses, and transaction histories, to a marketing cooperative without providing notice or an opt-out opportunity for consumers. 

In this marketing cooperative, DoorDash and other companies disclosed personal information to the group to advertise their products to each other’s customers.

Attorney General Rob Botna said that selling personal information without consumer consent violates the CCPA and CalOPPA. Botna hopes this “settlement serves as a wakeup call to businesses: The CCPA has been in effect for over four years, and businesses must comply with this important privacy law. “

As part of the settlement, DoorDash must pay the massive fine and comply with stringent injunctive terms, including submitting annual reports to the Attorney General to monitor any potential sale or sharing of consumer personal information. 

Data privacy regulations will only get more challenging as we work towards creating a federal privacy law. Doordash’s lawsuit echoes a warning to the entire ad tech supply chain to ensure you review your data compliance practices under established and upcoming state and privacy laws.  

Privacy regulation is a sticky terrain in the U.S., but you must stay diligent in deterring legal actions or judgments from accompanying your compliance reviews.