California Attorney General Ramps Up CCPA Enforcement with DoorDash Settlement, Reinforces CalOPPA Principles
On February 21, 2024, California Attorney General Rob Bonta announced a $375,000 settlement with DoorDash, the second-ever public enforcement action under the California Consumer Privacy Act (CCPA). This follows the AG’s $1.2 million settlement with Sephora, detailed in our previous discussion here. The DoorDash settlement addresses consumer privacy violations arising from DoorDash’s participation in a marketing co-operative, which the AG alleged constituted a sale of consumers’ personal information without providing notice or an opportunity to opt out under the CCPA and the California Online Privacy Protection Act (CalOPPA). This action is just the latest step in California’s aggressive push to uphold its comprehensive data privacy laws—and it illustrates the importance of a vigilant and proactive approach to privacy.
DoorDash’s Alleged Violations and Settlement
The action against DoorDash stems from allegations that the company failed to adequately inform its users about their right to opt out of the sale of their personal information, specifically related to DoorDash’s participation in two marketing co-ops, starting in 2018, in which participating businesses contributed customers' personal information in exchange for the ability to advertise their products to other co-op participants' customers. In January 2020, DoorDash transmitted personal information of its California customers, including names, addresses, and transaction histories, to the marketing co-op. The information was then sold downstream to other companies. At least one DoorDash customer subsequently received marketing materials by mail from third party businesses because of this disclosure.
The complaint alleged that the disclosure of personal information to the marketing co-op was a “sale” under the CCPA. It also asserted that DoorDash failed to inform customers that it was disclosing personally identifying information about them to third parties and did not identify the categories of third parties to which it was disclosing such information, in violation of both CCPA and CalOPPA.
The settlement requires DoorDash to pay $375,000 in penalties, comply with the CCPA and CalOPPA regarding privacy disclosures and consumer privacy opt-out rights, and implement and maintain a privacy compliance program for three years. Specifically, the compliance program requires DoorDash to:
-
- Assess and monitor if it is selling or sharing personal information, including for marketing services or “to providers of analytics or measurement services”;
- Evaluate whether it is effectively providing consumers with required privacy disclosures, in its privacy policy and notice at collection, and providing the right to opt-out;
- Document its compliance program in writing, including specific policies and procedures and technical and operational controls for:
-
- Reviewing contracts with service providers and contractors to ensure compliance with CCPA requirements;
- Documenting technical and operational controls implemented for service provider and contractor risk assessment and diligence under the CCPA;
- Maintaining an inventory of marketing co-ops in which the business participates and any contracts with those co-ops;
- Explaining—with respect to the sale or sharing of personal information with providers of marketing services or analytics or measurement services—where in its privacy policies and notices at collection it discusses any sale or sharing of personal information and the methods for consumers to opt-out of such sale or sharing; and
-
- Annually certify compliance for three years.
Comparison with Sephora Settlement
There are notable differences from the previous CCPA enforcement action against Sephora:
-
- Penalty Amount: DoorDash’s settlement involved a $375,000 penalty, significantly lower than the $1.2 million fine imposed on Sephora. This difference likely reflects the nature and scope of the alleged violations, including that DoorDash stopped participating in marketing co-ops in 2020.
- Compliance Period: DoorDash is required to implement and maintain a compliance program and certify its compliance for a period of three years. Sephora’s compliance program was only in effect for two years. This extended compliance period signals an increase in oversight and ongoing engagement with the AG’s Office and emphasizes the importance of maintaining adherence to CCPA requirements.
Key Takeaways for Businesses
-
- Transparency and Communication: Ensure clear communication with consumers about data collection practices and their rights under CCPA, including selling or sharing of personal information to third parties, the categories of such third parties, and the right to opt-out of the sale or sharing of personal information, including regular review of privacy practices to ensure accurate and transparent disclosures in the business’ privacy policy and notice at collection.
- Understand When a Disclosure is a “Sale”: The DoorDash settlement underscores the sweeping definition of “sale” under CCPA—including, specifically, the disclosure of information to providers of marketing services or analytics and measurement services. The Sephora action signaled the AG was interpreting the definition broadly; this action against DoorDash confirms it.
- Manage Service Provider Privacy Risk: Businesses should evaluate their service provider and contractor relationships—particularly with marketing, analytics, and measurement providers—to identify and mitigate any privacy risks. This includes ensuring appropriate contractual terms are in place to limit the use or disclosure of personal information.
- Proactive Compliance and Monitoring: Establish and maintain a comprehensive privacy and data governance program for CCPA compliance. This includes regular reviews of data sharing agreements and marketing practices responsive to regulatory changes and enforcement trends.
- Engage with Regulators: The DoorDash and Sephora settlements highlight the importance of engaging in good faith with regulators and enforcement entities. Demonstrating a commitment to privacy and engaging responsively can impact the outcome of enforcement actions and penalties.
The DoorDash settlement provides a reminder and a warning to businesses: of the importance of ongoing compliance with evolving privacy laws like CCPA and older privacy laws like CalOPPA. As privacy regulations evolve, businesses must stay vigilant, ensuring their privacy practices continue to meet existing requirements while adapting to incorporate new and expanding obligations.
This article is available in the Jenner & Block Japan Newsletter./ この記事はJenner & Blockニュースレターに掲載されています。
DoorDash’s Alleged Violations and Settlement
The action against DoorDash stems from allegations that the company failed to adequately inform its users about their right to opt out of the sale of their personal information, specifically related to DoorDash’s participation in two marketing co-ops, starting in 2018, in which participating businesses contributed customers' personal information in exchange for the ability to advertise their products to other co-op participants' customers. In January 2020, DoorDash transmitted personal information of its California customers, including names, addresses, and transaction histories, to the marketing co-op. The information was then sold downstream to other companies. At least one DoorDash customer subsequently received marketing materials by mail from third party businesses because of this disclosure.
The complaint alleged that the disclosure of personal information to the marketing co-op was a “sale” under the CCPA. It also asserted that DoorDash failed to inform customers that it was disclosing personally identifying information about them to third parties and did not identify the categories of third parties to which it was disclosing such information, in violation of both CCPA and CalOPPA.
The settlement requires DoorDash to pay $375,000 in penalties, comply with the CCPA and CalOPPA regarding privacy disclosures and consumer privacy opt-out rights, and implement and maintain a privacy compliance program for three years. Specifically, the compliance program requires DoorDash to:
-
- Assess and monitor if it is selling or sharing personal information, including for marketing services or “to providers of analytics or measurement services”;
- Evaluate whether it is effectively providing consumers with required privacy disclosures, in its privacy policy and notice at collection, and providing the right to opt-out;
- Document its compliance program in writing, including specific policies and procedures and technical and operational controls for:
-
- Reviewing contracts with service providers and contractors to ensure compliance with CCPA requirements;
- Documenting technical and operational controls implemented for service provider and contractor risk assessment and diligence under the CCPA;
- Maintaining an inventory of marketing co-ops in which the business participates and any contracts with those co-ops;
- Explaining—with respect to the sale or sharing of personal information with providers of marketing services or analytics or measurement services—where in its privacy policies and notices at collection it discusses any sale or sharing of personal information and the methods for consumers to opt-out of such sale or sharing; and
-
- Annually certify compliance for three years.
Comparison with Sephora Settlement
There are notable differences from the previous CCPA enforcement action against Sephora:
-
- Penalty Amount: DoorDash’s settlement involved a $375,000 penalty, significantly lower than the $1.2 million fine imposed on Sephora. This difference likely reflects the nature and scope of the alleged violations, including that DoorDash stopped participating in marketing co-ops in 2020.
- Compliance Period: DoorDash is required to implement and maintain a compliance program and certify its compliance for a period of three years. Sephora’s compliance program was only in effect for two years. This extended compliance period signals an increase in oversight and ongoing engagement with the AG’s Office and emphasizes the importance of maintaining adherence to CCPA requirements.
Key Takeaways for Businesses
-
- Transparency and Communication: Ensure clear communication with consumers about data collection practices and their rights under CCPA, including selling or sharing of personal information to third parties, the categories of such third parties, and the right to opt-out of the sale or sharing of personal information, including regular review of privacy practices to ensure accurate and transparent disclosures in the business’ privacy policy and notice at collection.
- Understand When a Disclosure is a “Sale”: The DoorDash settlement underscores the sweeping definition of “sale” under CCPA—including, specifically, the disclosure of information to providers of marketing services or analytics and measurement services. The Sephora action signaled the AG was interpreting the definition broadly; this action against DoorDash confirms it.
- Manage Service Provider Privacy Risk: Businesses should evaluate their service provider and contractor relationships—particularly with marketing, analytics, and measurement providers—to identify and mitigate any privacy risks. This includes ensuring appropriate contractual terms are in place to limit the use or disclosure of personal information.
- Proactive Compliance and Monitoring: Establish and maintain a comprehensive privacy and data governance program for CCPA compliance. This includes regular reviews of data sharing agreements and marketing practices responsive to regulatory changes and enforcement trends.
- Engage with Regulators: The DoorDash and Sephora settlements highlight the importance of engaging in good faith with regulators and enforcement entities. Demonstrating a commitment to privacy and engaging responsively can impact the outcome of enforcement actions and penalties.
The DoorDash settlement provides a reminder and a warning to businesses: of the importance of ongoing compliance with evolving privacy laws like CCPA and older privacy laws like CalOPPA. As privacy regulations evolve, businesses must stay vigilant, ensuring their privacy practices continue to meet existing requirements while adapting to incorporate new and expanding obligations.
This article is available in the Jenner & Block Japan Newsletter./ この記事はJenner & Blockニュースレターに掲載されています。
Related Attorneys
Related Articles
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
On February 21, 2024, California Attorney General Rob Bonta announced a $375,000 settlement with DoorDash, the second-ever public enforcement action under the California Consumer Privacy Act (CCPA). This follows the AG’s $1.2 million settlement with Sephora, detailed in our previous discussion here. The DoorDash settlement addresses consumer privacy violations arising from DoorDash’s participation in a marketing co-operative, which the AG alleged constituted a sale of consumers’ personal information without providing notice or an opportunity to opt out under the CCPA and the California Online Privacy Protection Act (CalOPPA). This action is just the latest step in California’s aggressive push to uphold its comprehensive data privacy laws—and it illustrates the importance of a vigilant and proactive approach to privacy.
DoorDash’s Alleged Violations and Settlement
The action against DoorDash stems from allegations that the company failed to adequately inform its users about their right to opt out of the sale of their personal information, specifically related to DoorDash’s participation in two marketing co-ops, starting in 2018, in which participating businesses contributed customers' personal information in exchange for the ability to advertise their products to other co-op participants' customers. In January 2020, DoorDash transmitted personal information of its California customers, including names, addresses, and transaction histories, to the marketing co-op. The information was then sold downstream to other companies. At least one DoorDash customer subsequently received marketing materials by mail from third party businesses because of this disclosure.
The complaint alleged that the disclosure of personal information to the marketing co-op was a “sale” under the CCPA. It also asserted that DoorDash failed to inform customers that it was disclosing personally identifying information about them to third parties and did not identify the categories of third parties to which it was disclosing such information, in violation of both CCPA and CalOPPA.
The settlement requires DoorDash to pay $375,000 in penalties, comply with the CCPA and CalOPPA regarding privacy disclosures and consumer privacy opt-out rights, and implement and maintain a privacy compliance program for three years. Specifically, the compliance program requires DoorDash to:
-
- Assess and monitor if it is selling or sharing personal information, including for marketing services or “to providers of analytics or measurement services”;
- Evaluate whether it is effectively providing consumers with required privacy disclosures, in its privacy policy and notice at collection, and providing the right to opt-out;
- Document its compliance program in writing, including specific policies and procedures and technical and operational controls for:
-
- Reviewing contracts with service providers and contractors to ensure compliance with CCPA requirements;
- Documenting technical and operational controls implemented for service provider and contractor risk assessment and diligence under the CCPA;
- Maintaining an inventory of marketing co-ops in which the business participates and any contracts with those co-ops;
- Explaining—with respect to the sale or sharing of personal information with providers of marketing services or analytics or measurement services—where in its privacy policies and notices at collection it discusses any sale or sharing of personal information and the methods for consumers to opt-out of such sale or sharing; and
-
- Annually certify compliance for three years.
Comparison with Sephora Settlement
There are notable differences from the previous CCPA enforcement action against Sephora:
-
- Penalty Amount: DoorDash’s settlement involved a $375,000 penalty, significantly lower than the $1.2 million fine imposed on Sephora. This difference likely reflects the nature and scope of the alleged violations, including that DoorDash stopped participating in marketing co-ops in 2020.
- Compliance Period: DoorDash is required to implement and maintain a compliance program and certify its compliance for a period of three years. Sephora’s compliance program was only in effect for two years. This extended compliance period signals an increase in oversight and ongoing engagement with the AG’s Office and emphasizes the importance of maintaining adherence to CCPA requirements.
Key Takeaways for Businesses
-
- Transparency and Communication: Ensure clear communication with consumers about data collection practices and their rights under CCPA, including selling or sharing of personal information to third parties, the categories of such third parties, and the right to opt-out of the sale or sharing of personal information, including regular review of privacy practices to ensure accurate and transparent disclosures in the business’ privacy policy and notice at collection.
- Understand When a Disclosure is a “Sale”: The DoorDash settlement underscores the sweeping definition of “sale” under CCPA—including, specifically, the disclosure of information to providers of marketing services or analytics and measurement services. The Sephora action signaled the AG was interpreting the definition broadly; this action against DoorDash confirms it.
- Manage Service Provider Privacy Risk: Businesses should evaluate their service provider and contractor relationships—particularly with marketing, analytics, and measurement providers—to identify and mitigate any privacy risks. This includes ensuring appropriate contractual terms are in place to limit the use or disclosure of personal information.
- Proactive Compliance and Monitoring: Establish and maintain a comprehensive privacy and data governance program for CCPA compliance. This includes regular reviews of data sharing agreements and marketing practices responsive to regulatory changes and enforcement trends.
- Engage with Regulators: The DoorDash and Sephora settlements highlight the importance of engaging in good faith with regulators and enforcement entities. Demonstrating a commitment to privacy and engaging responsively can impact the outcome of enforcement actions and penalties.
The DoorDash settlement provides a reminder and a warning to businesses: of the importance of ongoing compliance with evolving privacy laws like CCPA and older privacy laws like CalOPPA. As privacy regulations evolve, businesses must stay vigilant, ensuring their privacy practices continue to meet existing requirements while adapting to incorporate new and expanding obligations.
This article is available in the Jenner & Block Japan Newsletter./ この記事はJenner & Blockニュースレターに掲載されています。
DoorDash’s Alleged Violations and Settlement
The action against DoorDash stems from allegations that the company failed to adequately inform its users about their right to opt out of the sale of their personal information, specifically related to DoorDash’s participation in two marketing co-ops, starting in 2018, in which participating businesses contributed customers' personal information in exchange for the ability to advertise their products to other co-op participants' customers. In January 2020, DoorDash transmitted personal information of its California customers, including names, addresses, and transaction histories, to the marketing co-op. The information was then sold downstream to other companies. At least one DoorDash customer subsequently received marketing materials by mail from third party businesses because of this disclosure.
The complaint alleged that the disclosure of personal information to the marketing co-op was a “sale” under the CCPA. It also asserted that DoorDash failed to inform customers that it was disclosing personally identifying information about them to third parties and did not identify the categories of third parties to which it was disclosing such information, in violation of both CCPA and CalOPPA.
The settlement requires DoorDash to pay $375,000 in penalties, comply with the CCPA and CalOPPA regarding privacy disclosures and consumer privacy opt-out rights, and implement and maintain a privacy compliance program for three years. Specifically, the compliance program requires DoorDash to:
-
- Assess and monitor if it is selling or sharing personal information, including for marketing services or “to providers of analytics or measurement services”;
- Evaluate whether it is effectively providing consumers with required privacy disclosures, in its privacy policy and notice at collection, and providing the right to opt-out;
- Document its compliance program in writing, including specific policies and procedures and technical and operational controls for:
-
- Reviewing contracts with service providers and contractors to ensure compliance with CCPA requirements;
- Documenting technical and operational controls implemented for service provider and contractor risk assessment and diligence under the CCPA;
- Maintaining an inventory of marketing co-ops in which the business participates and any contracts with those co-ops;
- Explaining—with respect to the sale or sharing of personal information with providers of marketing services or analytics or measurement services—where in its privacy policies and notices at collection it discusses any sale or sharing of personal information and the methods for consumers to opt-out of such sale or sharing; and
-
- Annually certify compliance for three years.
Comparison with Sephora Settlement
There are notable differences from the previous CCPA enforcement action against Sephora:
-
- Penalty Amount: DoorDash’s settlement involved a $375,000 penalty, significantly lower than the $1.2 million fine imposed on Sephora. This difference likely reflects the nature and scope of the alleged violations, including that DoorDash stopped participating in marketing co-ops in 2020.
- Compliance Period: DoorDash is required to implement and maintain a compliance program and certify its compliance for a period of three years. Sephora’s compliance program was only in effect for two years. This extended compliance period signals an increase in oversight and ongoing engagement with the AG’s Office and emphasizes the importance of maintaining adherence to CCPA requirements.
Key Takeaways for Businesses
-
- Transparency and Communication: Ensure clear communication with consumers about data collection practices and their rights under CCPA, including selling or sharing of personal information to third parties, the categories of such third parties, and the right to opt-out of the sale or sharing of personal information, including regular review of privacy practices to ensure accurate and transparent disclosures in the business’ privacy policy and notice at collection.
- Understand When a Disclosure is a “Sale”: The DoorDash settlement underscores the sweeping definition of “sale” under CCPA—including, specifically, the disclosure of information to providers of marketing services or analytics and measurement services. The Sephora action signaled the AG was interpreting the definition broadly; this action against DoorDash confirms it.
- Manage Service Provider Privacy Risk: Businesses should evaluate their service provider and contractor relationships—particularly with marketing, analytics, and measurement providers—to identify and mitigate any privacy risks. This includes ensuring appropriate contractual terms are in place to limit the use or disclosure of personal information.
- Proactive Compliance and Monitoring: Establish and maintain a comprehensive privacy and data governance program for CCPA compliance. This includes regular reviews of data sharing agreements and marketing practices responsive to regulatory changes and enforcement trends.
- Engage with Regulators: The DoorDash and Sephora settlements highlight the importance of engaging in good faith with regulators and enforcement entities. Demonstrating a commitment to privacy and engaging responsively can impact the outcome of enforcement actions and penalties.
The DoorDash settlement provides a reminder and a warning to businesses: of the importance of ongoing compliance with evolving privacy laws like CCPA and older privacy laws like CalOPPA. As privacy regulations evolve, businesses must stay vigilant, ensuring their privacy practices continue to meet existing requirements while adapting to incorporate new and expanding obligations.
This article is available in the Jenner & Block Japan Newsletter./ この記事はJenner & Blockニュースレターに掲載されています。
Related Attorneys
Related Articles
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026