CalOPPA Brought to the Forefront in Recent California Privacy Case
The second enforcement action publicly announced since the California Consumer Privacy Act (CCPA) took effect in January 2020 involved food delivery company DoorDash, who agreed to pay a $375,000 fine as part of settlement announced by the California Attorney General. The first action against Sephora involved a $1.2 million penalty in August 2022.
Regarding the DoorDash settlement a few weeks ago, the company ran afoul of the CCPA and the California Online Privacy Protection Act (CalOPPA) in relation to its participation in a marketing cooperative that resulted in sharing of customer personal information with other companies in exchange for advertising opportunities. During the first month the CCPA was effective, DoorDash disclosed California customer personal information, including names, addresses, and transaction histories, to other businesses in the cooperative so it could market its services to the customers of the other businesses.
The California Attorney General’s Office found this activity violated the CCPA’s requirements for businesses that sell personal data and that DoorDash failed to properly remedy the issue during the then-allowed cure period. The company “could not determine which downstream companies had received its data so that it could contact each company to request that it delete or stop further selling the data.” In addition, the company violated the California Online Privacy Protection Act of 2003 (CalOPPA), since it failed to note the type of information disclosed in the cooperative in its privacy policy. The settlement requires DoorDash to review its contracts with marketing and analytics vendors and its use of technology to determine whether it is selling consumer personal information. The company must certify its compliance to the Attorney General annually for a period of three years.
The decision’s reference to CalOPPA, effective as of July 1, 2004, is interesting given all the hype around consumer privacy laws such as CCPA, the CPRA (California Privacy Rights Act that amended the CCPA), and many state privacy laws over the past five years. CalOPPA was the first state law in the United States that required commercial websites and online services to include a privacy policy on their website. According to this California law, under the Business and Professions Code, Division 8 Special Business Regulations, operators of commercial websites that collect personally identifiable information from California's residents are required to conspicuously post and comply with a privacy policy that meets specific requirements. A website operator who fails to post their privacy policy within 30 days after being notified about noncompliance will be deemed in violation. CalOPPA is what initially drove the posting of privacy policies to really take off in the United States – the DoorDash settlement a great reminder of how organizations must not lose sight of privacy initiatives that are decades old.
