• by Wendy Davis , February 22, 2024

Food delivery service DoorDash has agreed to pay $375,000 to settle allegations that it violated California privacy laws by “selling” consumers' data to a marketing co-op, without giving consumers the opportunity to opt out, state Attorney General Rob Bonta said this week.

The delivery company allegedly shared customer data in January 2020 with a marketing co-op -- meaning a collection of businesses that pooled information about customers for marketing purposes.

Bonta's office says DoorDash's participation in the co-op violated the California Consumer Privacy Act because the company didn't disclose the data transfers in a privacy policy, and didn't post “an easy-to-find 'Do Not Sell My Personal Information' link” on its website or mobile app.

California's 2018 privacy law prohibits companies from “selling” residents' personal information without allowing them to opt out.

The complaint against DoorDash, filed Wednesday in Los Angeles Superior Court, alleges that California's privacy law defines “sale” broadly enough to cover DoorDash's alleged data transfers.

“Any transaction under which a business receives a benefit for sharing consumer information can be a sale” under the California Consumer Privacy Act, the complaint alleges. “DoorDash traded consumer personal information in exchange for the benefit of advertising to potential new customers; its participation in the marketing co-op was therefore a sale.”

DoorDash stated this week that it ended its relationship with marketing co-ops in 2020, and that the settlement stems from “a single incident involving a vendor over four years ago.”

Bonta's office alleges that even though DoorDash doesn't currently sell customers' information, the company did not “cure” the January 2020 sale to the co-op.

“DoorDash did not cure because it did not make affected consumers whole by restoring them to the same position they would have been in if their data had never been sold,” the complaint alleges.

“The consumer personal information and inferences about DoorDash’s customers had already been sold downstream to other companies and beyond the marketing co-op’s members, including to a data broker that re-sold the data many times over,” the attorney general's office writes.

“DoorDash also could not determine which downstream companies had received its data so that it could contact each company to request that it delete or stop further selling the data,” Bonta's office adds.

The settlement hasn't yet been approved by a judge.