California Attorney Rob Bonta recently announced a $375,000 settlement with DoorDash over alleged violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The Attorney General’s allegations centered around the food-delivery company’s sharing of consumers’ personal data with a marketing cooperative, which amounted to “selling” information under the CCPA.
“I hope today’s settlement serves as a wakeup call to businesses,” said Mr. Bonta. “The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law. Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”
At the heart of the allegations is DoorDash’s participation in a “marketing cooperative.” A marketing cooperative allows participating companies to advertise to each other’s customers. For example, the owner of a gym may want to reach the customers of a company that sells yoga pants, or vice versa. In exchange for this opportunity, each member gives the cooperative access to its customer data, and the cooperative acts as a data broker.
There is nothing inherently illegal about participating in a marketing cooperative. What got DoorDash into trouble was its (alleged) failure to do two things: (1) Disclose the fact of its participation in the marketing cooperative, and (2) offer consumers a way to opt out.
While the Attorney General’s press release does not go into great detail about its investigation or DoorDash’s alleged violations, other businesses can still learn a few lessons about privacy compliance from the case.
The biggest obstacle businesses face in privacy compliance is not taking it seriously enough. Posting a generic privacy policy and assuming that authorities will automatically give businesses a chance to cure has become a high-risk strategy. The CCPA has been on the books for years, and the DoorDash case makes clear that state officials have run short on patience. The time for getting compliant is now, before an enforcement action disrupts your business and costs you hundreds of thousands of dollars in fines and legal fees.
TrueVault US simplifies privacy compliance across multiple state laws, so that businesses can handle it on their own. With an interface that is familiar to anyone who has done their own taxes online, TrueVault guides you through every step of the process, from onboarding vendors to handling privacy requests. As more states pass comprehensive privacy laws, they are added to your Privacy Center at no extra cost.
Contact our team to learn more and view a demo of how TrueVault works.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2022 © All Rights Reserved. Privacy Policy | Terms of Use | California Privacy Notice