The California attorney general’s office reached a settlement with DoorDash after the food delivery company sold customer data without proper notice or opt-out controls. It got slapped with a measly $375,000 fine (for context, DoorDash’s stock price is $120 and change), but don’t brush this off as a one-and-done. A closer look at the settlement raises critical questions about second-party data.

At the heart of the DoorDash case are marketing co-ops. The original complaint claims that DoorDash was a member of two marketing co-ops, with whom DoorDash shared customers’ names, addresses, and order histories so that other co-op members could market to them. It got caught after a customer complained on social media that she received direct mail addressed to “an alias that she had used solely with DoorDash […] She intentionally used an alias to protect her privacy, particularly to conceal her actual home address […]” (no wonder she complained!).

DoorDash must update its privacy policy to disclose the names and descriptions of any marketing co-ops that it participates in and give consumers the ability to exercise their “do not share or sell my data” rights. While this sounds straightforward, there are three notable takeaways for B2C marketers:

  • The broad definition of “sale” is here to stay for Californians. The Sephora settlement made clear that the attorney general is defining sale more broadly than just “money exchanging hands,” and the DoorDash case reinforces that. While adtech companies have historically argued that they don’t sell data because they aren’t paid in exchange for data files, California’s regulators take a different view.
  • Consent is not a “set it and forget it” exercise. Marketing co-ops, and second-party data-sharing agreements broadly, typically rely on the notion that data is “consented.” People opted into being DoorDash customers and thus supplied their personal information to place orders. But under California’s law, they also have the right to revoke consent for their data being shared or sold. Note that this is not unique to California: Every US state privacy law includes the right to opt out of data selling. But states define sales differently, from Iowa’s definition as “the exchange of personal data for monetary consideration” to Montana’s, which broadens that to include “monetary or other valuable consideration.” (This is why we need a federal privacy law.) Don’t fall into a trap of thinking one form of consent covers all your use cases in all jurisdictions.
  • Don’t lose sight of who has access to your first-party data, even in a co-op. Even if it wanted to, DoorDash couldn’t honor consumers’ opt-out-of-sale requests because it didn’t know who in the co-op accessed its data. Even worse, at least one data broker in the co-op resold DoorDash’s data to an unknown number of partners. The marketing co-op model wasn’t addressed in the final settlement, leaving unresolved questions. Marketers using co-ops today should evaluate their ability to process and disseminate opt-out requests and how much transparency they have into who has accessed their data, when, and what controls they have to prevent reselling.

2024 is going to be a busy year, with more fines and investigations. The California attorney general has already highlighted streaming services as a focus area, and the Federal Trade Commission has been busy as well: It just banned antivirus company Avast from selling users’ browsing data and is rumored to be preparing to block the Kroger-Albertsons merger, which would impact their retail media networks. Buckle up for a(nother) busy year on the privacy front, and as always, schedule a guidance session for a deeper dive.