DoorDash’s recent settlement with the California Attorney General regarding allegations of improperly trading consumer personal information has significant implications for data privacy practices. In short, DoorDash was accused of violating the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) when it disclosed consumer data without providing the required notice and opportunity to opt out of such sales under the state’s privacy laws. Here are three essential lessons we can glean from this development:

  1. Prioritize Transparency, Notice, and Consent: The DoorDash settlement highlights the critical importance of transparency and obtaining explicit consent when handling consumer personal information. Companies must be transparent about their data collection practices, including how they use, share, and monetize consumer data. Moreover, obtaining affirmative consent from consumers before sharing their personal information with third parties is essential for maintaining trust and compliance with privacy frameworks like the (CCPA). By prioritizing transparency and consent, businesses can demonstrate their commitment to respecting consumer privacy rights and building trust with their user base.

  2. Compliance with Data Privacy Regulations Is Mandatory: The DoorDash settlement underscores the importance of compliance with data privacy regulations, particularly in jurisdictions with stringent laws like California and take proactive steps to comply with evolving legal requirements. This includes establishing data governance frameworks, appointing privacy officers, and conducting regular privacy impact assessments to assess compliance with regulatory standards. By prioritizing compliance and staying abreast of regulatory updates, businesses can avoid costly penalties, legal disputes, and reputational damage resulting from non-compliance with data privacy laws.

  3. Fully Understand the Legal Requirements: The settlement serves as a reminder of the necessity for thorough understanding of organizational requirements. DoorDash’s sharing of data with the marketing cooperative likely did not include DoorDash receiving monetary payment for the disclosure of data. This scenario could easily create the false assumption that a “sale” of data has not occurred. However, a thorough understanding of California privacy law would reveal that a “sale” of data includes a disclosure for monetary or other valuable consideration

In conclusion, the DoorDash settlement with the California Attorney General offers valuable insights into the importance of transparency, understanding, and regulatory compliance in safeguarding consumer data privacy. By incorporating these key lessons into data privacy practices, businesses can enhance trust, mitigate risks, and demonstrate their commitment to respecting consumer privacy rights in an increasingly data-driven world.

HHS Office for Civil Rights Resolves Medical Practice Ransomware Cyberattack

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued its second-ever settlement for a ransomware...

CPPA to Resume Enforcement of CPRA Regulations

On February 9, 2024, the California Third Appellate District Court of Appeal made a significant ruling regarding the enforcement timeline of the...

New Jersey Enacts Privacy Law

On January 16, 2024, New Jersey became the first state in 2024 to join a growing list of states implementing comprehensive consumer data privacy...

Texas Data Privacy and Security Act – Part 1: Applicability 

In a digital era marred by big data monetization and weaponization and culminating in a renewed privacy awakening, Texas has taken a substantial...

Colorado House Bill HB24-1130: Strengthening Biometric Data Protections

Colorado's commitment to enhancing data privacy reaches new heights with the proposed amendments introduced in House Bill HB24-1130. This bill seeks...