Blog

Doordash to pay $375K in AG settlement over CCPA violations

Julie Rubash, General Counsel and Chief Privacy Officer
February 26, 2024

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Doordash To Pay $375K in AG Settlement Over CCPA Violations

California Attorney General Bonta announced a settlement with Doordash based on allegations the company sold customer personal information as part of a marketing cooperative (allowing participants to advertise to each others’ customers) without providing notice or an opportunity for customers to opt out.

In addition to paying a $375,000 civil penalty, Doordash will be required to provide annual reports to the Attorney General that monitor any potential sale or sharing of consumer personal information. 

TAKEAWAY

The alleged violating activity was a single transfer of customer names, addresses and transaction histories that took place in January 2020, the first month that CCPA was in effect.

This demonstrates the importance of meeting regulatory deadlines and may serve as a wake-up-call to companies that are behind in implementing the latest requirements under CPRA and associated regulations that have recently become enforceable a month earlier than expected.

FTC Order Bans Avast From Selling Browsing Data for Advertising

The Federal Trade Commission announced a $16.5 million settlement with Avast based on allegations the software provider unfairly collected consumer browsing information through its browser extensions and antivirus software and sold it to advertising, marketing and data analytics companies and data brokers without adequate notice or consumer consent.

In addition to paying $16.5 million, Avast will be prohibited from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes and will be required to obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes.

The company will also be required to delete all web browsing data previously transferred to its subsidiary, Jumpshot (through which the data was sold to third parties) and any products or algorithms Jumpshot derived from that data, and it will be required to inform previous customers about the FTC order.

TAKEAWAY

The FTC’s privacy-related enforcement over the last year has concentrated on companies that, as a regular part of their business, collected and shared personal data that the FTC deemed to be highly sensitive, such as health (e.g., GoodRx, Betterhelp, and Premom), tax data (H&R Block) or location data (Kochava, X-Mode and InMarket). Although the FTC does mention that the browsing data shared by Avast included information about users’ web searches and webpages they visited, “revealing consumers’ religious beliefs, health concerns, financial status, visits to child-directed content and other sensitive information”, this action may reflect an expansion in FTC privacy enforcement beyond companies in sensitive sectors to companies sharing more general personal information that may, on occasion, include some sensitive information. 

CPPA Publishes Updated Draft Regulations for March 8 Discussion

The California Privacy Protection Agency announced a March 8 board meeting and included as meeting materials updated draft risk assessment and automated decision making regulations and a draft update to existing CCPA regulations. 

TAKEAWAY

Some notable draft changes to the CCPA regulations include the addition of:

(a) examples in the IOT and augmented or virtual reality space (clarifying that required notices must be provided such that the user encounters them before the IOT device begins collecting personal information that it sells or shares and before a user enters the augmented or virtual reality environment),

(b) requirements to ensure, after complying with a deletion or correction request, that the information remains deleted or corrected going forward (citing, as an example, if a company receives refreshed information from data brokers on a regular basis and may receive the previously deleted or corrected data again),

(c) a requirement to display the status of the consumer’s choice if a consumer’s consent to the sale or sharing of personal information is determined by the business to override the opt-out preference signal or if the opt-out preference signal conflicts with a consumer’s participation in a financial incentive program,

(d) a requirement (changing the language from “may” to “shall”) for a business to display whether it has processed the consumer’s opt-out preference signal and to provide a mechanism (whether through a display on the website or otherwise) for the user to confirm that their opt-out request has been processed; and

(e) examples of the timing requirements for opt-out requests in the context of companies that use programmatic advertising on their websites (compliance with an opt-out request must be immediate after the request is submitted) and marketing companies that sell in the form of batched uploads (receiving third parties must be notified of the opt-out request with respect to any data transferred after the request).

A notable proposed change to both the risk assessment and automated decisionmaking regulations is the addition of a definition for “behavioral advertising”, including a clarification that nonpersonalized advertising is only excluded if the consumer’s personal information is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business, and is not disclosed to a third party.

An overview deck of all revisions and proposals for the risk assessment and automated decisionmaking regulations was included with the materials. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]