Key Takeaways from DoorDash’s Settlement with the California Attorney General on Consumer Data Privacy

DoorDash’s recent settlement with the California Attorney General regarding allegations of improperly trading consumer personal information has significant implications for data privacy practices. In short, DoorDash was accused of violating the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) when it disclosed consumer data without providing the required notice and opportunity to opt out of such sales under the state’s privacy laws. Here are three essential lessons we can glean from this development:

  1. Prioritize Transparency, Notice, and Consent: The DoorDash settlement highlights the critical importance of transparency and obtaining explicit consent when handling consumer personal information. Companies must be transparent about their data collection practices, including how they use, share, and monetize consumer data. Moreover, obtaining affirmative consent from consumers before sharing their personal information with third parties is essential for maintaining trust and compliance with privacy frameworks like the (CCPA). By prioritizing transparency and consent, businesses can demonstrate their commitment to respecting consumer privacy rights and building trust with their user base.

  2. Compliance with Data Privacy Regulations Is Mandatory: The DoorDash settlement underscores the importance of compliance with data privacy regulations, particularly in jurisdictions with stringent laws like California and take proactive steps to comply with evolving legal requirements. This includes establishing data governance frameworks, appointing privacy officers, and conducting regular privacy impact assessments to assess compliance with regulatory standards. By prioritizing compliance and staying abreast of regulatory updates, businesses can avoid costly penalties, legal disputes, and reputational damage resulting from non-compliance with data privacy laws.

  3. Fully Understand the Legal Requirements: The settlement serves as a reminder of the necessity for thorough understanding of organizational requirements. DoorDash’s sharing of data with the marketing cooperative likely did not include DoorDash receiving monetary payment for the disclosure of data. This scenario could easily create the false assumption that a “sale” of data has not occurred. However, a thorough understanding of California privacy law would reveal that a “sale” of data includes a disclosure for monetary or other valuable consideration

In conclusion, the DoorDash settlement with the California Attorney General offers valuable insights into the importance of transparency, understanding, and regulatory compliance in safeguarding consumer data privacy. By incorporating these key lessons into data privacy practices, businesses can enhance trust, mitigate risks, and demonstrate their commitment to respecting consumer privacy rights in an increasingly data-driven world.

Texas Data Privacy and Security Act – Part 1: Applicability 

In a digital era marred by big data monetization and weaponization and culminating in a renewed privacy awakening, Texas has taken a substantial...

Securing America’s Ports: Biden Administration Takes Action on Maritime Cybersecurity

The Biden administration is set to issue an Executive Order to enhance the cybersecurity of U.S. ports and bolster maritime security, supported by a...

FTC Settles Data Broker Settlement Banning Sale of Sensitive Location Data

Organizations that collect, use, purchase, or sell sensitive location data should remain cautious of its data practices and the recent FTC...

CPPA to Resume Enforcement of CPRA Regulations

On February 9, 2024, the California Third Appellate District Court of Appeal made a significant ruling regarding the enforcement timeline of the...

Key Takeaways from DoorDash’s Settlement with the California Attorney General on Consumer Data Privacy

DoorDash's recent settlement with the California Attorney General regarding allegations of improperly trading consumer personal information has...

Colorado House Bill HB24-1130: Strengthening Biometric Data Protections

Colorado’s commitment to enhancing data privacy reaches new heights with the proposed amendments introduced in House Bill HB24-1130. This bill seeks to fortify the existing “Colorado Privacy Act” by introducing comprehensive safeguards specifically tailored to protect individuals’ biometric data.

Key Amendments Proposed in HB24-1130

  1. Written Policy Requirement: The bill mandates that controllers, those who determine the purposes and means of processing biometric data, must adopt a written policy. This policy should include provisions for establishing a retention schedule for biometric identifiers, implementing a protocol for responding to breaches of security concerning biometric data, and guidelines for the permanent destruction of biometric identifiers.

  2. Disclosure and Consent Requirements: Controllers are prohibited from collecting biometric identifiers without first meeting specific disclosure and consent requirements. This provision ensures that individuals are fully informed about the collection and use of their biometric data and have the opportunity to provide informed consent.

  3. Access and Update Rights: HB24-1130 empowers consumers by requiring controllers to allow them access to and the ability to update their biometric identifiers. This provision enhances individuals’ control over their biometric information and promotes transparency and accountability in data processing practices.

  4. Employer Restrictions: The bill imposes limitations on employers’ permissible reasons for obtaining employees’ consent for the collection of biometric identifiers. This measure aims to protect employees’ privacy rights and ensure that their biometric data is collected and used only for legitimate purposes.

  5. Enforcement and Rulemaking Authority: HB24-1130 authorizes the attorney general to promulgate rules to implement the provisions of the bill, enhancing enforcement mechanisms and ensuring compliance with the new requirements.

Implications

The proposed amendments in HB24-1130 represent a significant step forward in safeguarding biometric data privacy in Colorado. If enacted, these provisions will establish clear guidelines for the collection, retention, and use of biometric identifiers, enhancing transparency, accountability, and consumer control over their personal information.

As HB24-1130 progresses through the legislative process, stakeholders should remain vigilant and engage in discussions to better understand how these amendments may impact data privacy practices in Colorado.

HHS Office for Civil Rights Resolves Medical Practice Ransomware Cyberattack

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued its second-ever settlement for a ransomware...

New Jersey Enacts Privacy Law

On January 16, 2024, New Jersey became the first state in 2024 to join a growing list of states implementing comprehensive consumer data privacy...

NIST Releases SP 800-66r2: Implementing the HIPAA Security Rule

The National Institute of Standards and Technology (NIST) has recently published Special Publication 800-66r2, titled "Implementing the Health...

CPPA to Resume Enforcement of CPRA Regulations

On February 9, 2024, the California Third Appellate District Court of Appeal made a significant ruling regarding the enforcement timeline of the...

Texas Data Privacy and Security Act – Part 1: Applicability 

In a digital era marred by big data monetization and weaponization and culminating in a renewed privacy awakening, Texas has taken a substantial...

CPPA to Resume Enforcement of CPRA Regulations

On February 9, 2024, the California Third Appellate District Court of Appeal made a significant ruling regarding the enforcement timeline of the California Privacy Rights Act of 2020 (CPRA) implementing regulations. The appellate court overturned a previous ruling from June 2023 by a lower court, which had ordered a 12-month delay in enforcing the regulations following their adoption.

The lower court’s reasoning was based on the belief that voters intended for a one-year gap between the adoption and enforcement of these regulations. Following adoption of CPRA regulations on March 29, 2023, the lower court ordered enforcement to be stayed until March 29, 2024.

However, upon reevaluation of the CPRA’s text and voters’ intentions, the appellate court concluded that the lower court had misinterpreted the law and highlighted the absence of “clear, unequivocal” language in the CPRA mandating a one-year delay between approval and enforcement. Consequently, the appellate court instructed the lower court to rescind its order for the 12-month enforcement delay.

This ruling effectively reinstates the California Privacy Protection Agency’s authority to enforce CPRA regulations immediately upon their adoption, without additional delay. It underscores the importance of organizations to maintain robust privacy programs that align with the dynamic landscape of privacy laws and regulations.

 

Texas Data Privacy and Security Act – Part 1: Applicability 

In a digital era marred by big data monetization and weaponization and culminating in a renewed privacy awakening, Texas has taken a substantial...

CPPA to Resume Enforcement of CPRA Regulations

On February 9, 2024, the California Third Appellate District Court of Appeal made a significant ruling regarding the enforcement timeline of the...

LockBit Ransom Group Disrupted By Law Enforcement

The LockBit ransomware group has been successfully disrupted by law enforcement, marking a significant victory in the ongoing battle against...

Key Takeaways from DoorDash’s Settlement with the California Attorney General on Consumer Data Privacy

DoorDash's recent settlement with the California Attorney General regarding allegations of improperly trading consumer personal information has...

HHS Office for Civil Rights Resolves Medical Practice Ransomware Cyberattack

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued its second-ever settlement for a ransomware...

Texas Data Privacy and Security Act – Part 1: Applicability 

In a digital era marred by big data monetization and weaponization and culminating in a renewed privacy awakening, Texas has taken a substantial first step toward protecting the privacy of its residents with the enactment of the Texas Data Privacy and Security Act (TDPSA). Taking effect on July 1, 2024, this new comprehensive privacy framework represents the state’s approach to requiring individual rights and organizational safeguards concerning personal data. While the TDPSA is designed for broad application, it includes specific applicability and exclusion provisions. 

An organization must comply with the TDPSA if it: 

(1) conducts business in Texas or produces a product or service consumed by Texas residents; 

(2) processes or engages in the sale of personal data; and 

(3) is not a small business as defined by the United States Small Business Administration, unless sensitive data is sold.

The TDPSA exempts certain organizations and data. The law specifically exempts from applicability state agencies and political subdivisions; financial institutions subject to the Gramm-Leach-Bliley Act; covered entities or business associates governed by HIPAA privacy, security, and breach notification rules; nonprofit organizations, institutions of higher education; and electric utilities, power generation companies, and retail electric providers.

The law also exempts several categories of data, including: HIPAA protected health information; data subject to the Gramm-Leach-Bliley Act; health records; patient identifying information for purposes of 42 U.S.C. Section 290dd-2; identifiable private information for purposes of the federal protection of human rights under 45 C.F.R. Part 46, collected as part of human subject research, or that is personal data used or shared in research conducted in accordance with law; information and documents created for purposes of the Health Care Quality Improvement Act of 1986; patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005; health information that is de-identified in accordance with HIPAA regulations; information exempt by the TDPSA that is maintained by a HIPAA covered entity or business associate or by a program or qualified service organization as defined by 42 U.S.C. Section 290dd-2; certain information that is included in a limited dataset as described by 45 C.F.R. Section 164.514(e); information collected or used only for public health activities and purposes as authorized by HIPAA; personal information regulated by the Fair Credit Reporting Act; personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994; personal data regulated by the Family Educational Rights and Privacy Act of 1974; personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971; certain employment data and data necessary to administer benefits for another individual; information used for emergency contact purposes.

Additionally, the TDPSA does not apply to processing of personal data by a person in the course of purely personal or household activity. 

The TDPSA along with the Texas Identity Theft Enforcement and Protection Act each represents the growing trend of states taking a more comprehensive approach to ensuring the privacy and security of consumer data. By establishing organizational obligations and clear penalties for non-compliance, the TDPSA is poised to enhance data protection, empower consumers, and reduce distrust in this digital age. Organizations subject to the TDPSA should prioritize compliance efforts in advance to the TDPSA effective date to mitigate organizational risk. 

CPPA to Resume Enforcement of CPRA Regulations

On February 9, 2024, the California Third Appellate District Court of Appeal made a significant ruling regarding the enforcement timeline of the...

New Jersey Enacts Privacy Law

On January 16, 2024, New Jersey became the first state in 2024 to join a growing list of states implementing comprehensive consumer data privacy...

HHS Office for Civil Rights Resolves Medical Practice Ransomware Cyberattack

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued its second-ever settlement for a ransomware...

NIST Releases SP 800-66r2: Implementing the HIPAA Security Rule

The National Institute of Standards and Technology (NIST) has recently published Special Publication 800-66r2, titled "Implementing the Health...

Key Takeaways from DoorDash’s Settlement with the California Attorney General on Consumer Data Privacy

DoorDash's recent settlement with the California Attorney General regarding allegations of improperly trading consumer personal information has...

About 

View additional information about Jeremy D. Rucker

Links

Privacy Policy

Contact

P: 214.459.5880

E: [email protected]

Follow Me

New Jersey Enacts Privacy Law

On January 16, 2024, New Jersey became the first state in 2024 to join a growing list of states implementing comprehensive consumer data privacy laws. SB 332 provides New Jersey residents with certain data privacy rights and creates related obligations on organizations that process their personal data. The new law becomes effective on January 15, 2025. 

HHS Office for Civil Rights Resolves Medical Practice Ransomware Cyberattack

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued its second-ever settlement for a ransomware...

New Jersey Enacts Privacy Law

On January 16, 2024, New Jersey became the first state in 2024 to join a growing list of states implementing comprehensive consumer data privacy...

Securing America’s Ports: Biden Administration Takes Action on Maritime Cybersecurity

The Biden administration is set to issue an Executive Order to enhance the cybersecurity of U.S. ports and bolster maritime security, supported by a...

CPPA to Resume Enforcement of CPRA Regulations

On February 9, 2024, the California Third Appellate District Court of Appeal made a significant ruling regarding the enforcement timeline of the...

Key Takeaways from DoorDash’s Settlement with the California Attorney General on Consumer Data Privacy

DoorDash's recent settlement with the California Attorney General regarding allegations of improperly trading consumer personal information has...

About 

View additional information about Jeremy D. Rucker

Links

Privacy Policy

Contact

P: 214.459.5880

E: [email protected]

Follow Me