Department of Justice investigated and found that DoorDash sold its customers’ personal information without providing consumers proper notice or an opportunity to opt out, thereby violating the CCPA and CalOPPA. As part of its $375,000 settlement announced February 21, 2024, DoorDash must comply with California’s requirements regarding a business’ sale of personal information, ensure its vendors comply with California’s laws regarding the selling and sharing of consumer personal information, and provide annual reports to the California Attorney General. Key takeaways from the DoorDash settlement: 1.Disclosure = Sale. Under the CCPA, providing consumer personal information, even without the exchange of money, is sufficient to meet the definition a “sale.” 2.Privacy Practices and Policies. CalOPPA outlines the requirements of companies processing the personal information of California residents. Companies should ensure their practices and privacy policies (both internal and external) are aligned with the statute’s requirements. It’s important to note that CalOPPA may apply, even if the CCPA does not. In another recent enforcement action, Honda reached a settlement with the CPPA over alleged violations that Honda made it difficult for California consumers to exercise their privacy rights by requiring them to provide excessive personal information to exercise their rights, failing to provide fair opt-out tools, and making it difficult for them to have authorized agents act on their behalf. Moreover, Honda shared personal information with third party ad companies without adequate privacy protections and contractual provisions. This enforcement action demonstrates that businesses should focus on simplifying the process for consumers to exercise their privacy rights and they must implement a robust data governance program to ensure that vendor contracts have CCPA/CPRA compliant language.
124
Made with FlippingBook - Online Brochure Maker