On February 21, 2024, the California Attorney General (CA AG) announced that it had reached a settlement with DoorDash over allegations that the company failed to comply with “sale” requirements under the California Consumer Privacy Act (CCPA) and disclosure requirements under the California Online Privacy Protection Act (CalOPPA). The settlement requires DoorDash to pay a $375,000 civil penalty and comply with specific injunctive terms.

The CA AG’s complaint alleges that DoorDash participated in marketing co-operatives (“co-ops”) that involved the company providing its customers’ personal information (such as names, addresses, and transaction histories) to the co-op without providing its customers with notice or an opportunity to opt-out of the sale. Upon receiving DoorDash’s customer personal information, the co-op would combine DoorDash’s customer data with the customer data of other third-party co-op members, analyze the data, and allow members to send mailed advertisements to potential leads. The CA AG considered such data disclosure a “sale” of personal information under the CCPA’s broad definition of that term. Specifically, DoorDash received “valuable consideration” in exchange for disclosing its customer data to the co-op, namely the “opportunity to advertise its services directly to the customers of the other participating companies.”

The CA AG’s second cause of action invoked CalOPPA, a 20-year-old California privacy law that imposes transparency obligations on companies that operate websites for commercial purposes and collect personally identifiable information from Californians. The complaint alleged violations of CalOPPA by DoorDash due to the company’s failure to disclose in its privacy policy that it would share its customers’ personally identifiable information with other third-party businesses (e.g., marketing co-op members) for those businesses to contact DoorDash customers with ads.

Key Takeaways

This settlement serves as a critical reminder of the importance of compliance with current and emerging state privacy laws, emphasizing the broad definition of “sale” under the CCPA and the strict requirements for transparency and consumer choice. Additionally, we expect the California Privacy Protection Agency, another California privacy regulator (vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA) to ramp up its own investigative and enforcement efforts this year. Thus, businesses should consider the following:

• “Selling” is Broader than Cookies – companies should re-assess how their data disclosure activities may be considered “selling” under the CCPA. Many companies focus on the use of third-party ad and analytics cookies on their websites as the main trigger for “sale” compliance obligations under the law. This settlement makes clear that companies should broaden their review and assessment of their marketing department’s use of personal information to consider non-cookie related data disclosures.
• Review and Update Privacy Policies – an outdated, unfair and deceptive, or misleading privacy policy serves as an online billboard announcing a company’s non-compliance with state privacy laws as well as state unfair competition laws (such as for example California’s Unfair Competition Law (UCL)). As this settlement demonstrates, this can be a magnet for consumer complaints and regulatory scrutiny (including at the federal level under Section 5 of the Federal Trade Commission Act). Companies should continually review and update their privacy policies if they materially change how they handle personal information. Under the CCPA, privacy policies must be updated at least annually.
• Opt-Out Mechanisms. Companies should ensure that compliant opt-out mechanisms, including an interactive webform and a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link, are in place. Opt-out mechanisms must also recognize and respond to universal opt-out preferences signals, such as the Global Privacy Control (GPC) signal.   
• Don’t Forget the Apps – the complaint noted that both the DoorDash website and mobile application (App) failed to inform consumers about the sale of their personal information and their right to opt-out. Companies that collect personal information via an App and engage in “backend” selling of personal information should ensure that the App includes sufficient CCPA disclosures and a mechanism for users to easily opt-out of the sale of their personal information (see here for the CA AG’s previous announcements of an investigative sweep focused on violations of CCPA in the App context).
• Marketing Co-Ops – this enforcement action makes clear the California regulators consider a company’s participation in a marketing co-operative to be a “sale” under the CCPA. Companies participating in marketing co-ops and other third-party data sharing engagements should carefully review their agreements with the data recipients to ensure they restrict the recipients’ ability to further disclose or sell consumer personal information.

For more information about these developments and the CCPA in general, contact your DLA relationship Partner, the authors of this blog post, or any member of DLA’s Data, Privacy and Cybersecurity team.

On November 1, 2023, the New York Department of Financial Services (NYDFS) announced extensive amendments to its cybersecurity requirements for financial institutions issued under 23 NYCRR Part 500.  The amendments are intended to address the evolution in the cybersecurity landscape since the regulation was first enacted in 2017, including the increasing sophistication of threat actors and improvements in the tools available for organizations to protect themselves. Covered entities continue to include entities operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under NY Banking Law, Insurance Law or Financial Services Law.

Key changes in the amended regulation include:   

• Creating a new class of covered entities (based on revenue and/or employee thresholds) that are subject to heightened requirements;
• Enhancing requirements related to vulnerability management, access controls, and the use of encryption;
• Providing prescriptive requirements related to the use of multi-factor authentication;
• Requiring the implementation of policies and procedures related to business continuity and disaster recovery;
• Requiring additional controls to prevent unauthorized access to information systems;     
• Updating cybersecurity incident notification requirements, including a new requirement to report ransomware payments; and
• Amending the scope of the exemptions and enforcement provisions under the regulation.

The amended requirements will take effect in phases, with some having already come into force on November 1, 2023.

FTC Implements Security Incident Notification Requirement under Safeguards Rule

In other financial services information security developments, the Federal Trade Commission (FTC) issued a final rule creating a security incident notification requirement under its Gramm Leach Bliley Act (GLBA) Safeguards Rule. The FTC’s Safeguards Rule implements GLBA’s security requirements, with the FTC having Safeguards Rule jurisdiction over mortgage lenders, certain non-bank lenders, finance companies, mortgage brokers, account services, check cashers, wire transferors, collection agencies, credit and financial advisors, tax preparation firms, and investment advisors that are not required to register with the Securities and Exchange Commission.

Under the final rule, covered financial institutions must electronically notify the FTC within 30 days of discovering a “notification event” that involves the information of at least 500 consumers. The scope of data and incidents that could be subject to the rule is very broad. A notification event is defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” The Safeguards Rule broadly defines “customer information” as any record containing nonpublic personal information about a [consumer] customer of a financial institution, whether in paper, electronic, or other form.” For example, the fact that a consumer is a financial institution’s customer would itself be customer information subject to the rule. The definition of “notification event” also presumes that customer information was “acquired” if there was unauthorized access to such information; to rebut this presumption, a financial institution must have reliable evidence showing that there has not been or could not reasonably have been unauthorized acquisition. The rule does not include a good faith exception like the U.S. state security breach notification laws for situations where an employee or contractor mistakenly accesses or acquires personal information.

The rule will take effect 180 days after its publication in the Federal Register. The FTC will post the notifications it receives publicly on its website.

For more information, please contact your DLA relationship Partner, the authors of this blog post, or any member of our Data Protection team.

This graphic captures what governance is, including escalation, as represented by the green dashed line, coming from “measurement and reporting”, which is essentially the information systems/information gathering capability of a company. It should be noted that governance obviously includes both oversight and operations concepts. 

Direction is the first step, and that is set by Delaware General Corporations Code Section 141, which provides, “every corporation organized under this chapter shall be managed by or under the direction of a board of directors…”  To help further differentiate these points that follow, the direction that is set is a broad vision for a company. 

Strategy is inherent in the business judgment rule, a core principle of Delaware law, and as summarized by the state of Delaware, “Although some major transactions require the consent of stockholders as well as the approval of the board, the board generally has the power and duty to make business decisions for the corporation. These decisions include establishing and overseeing the corporation’s long-term business plans and strategies, and the hiring and firing of executive officers.”  That provides us the concept of strategy being part of governance.

Oversight is a concept imbedded within the business judgment rule, and it is also part of the Caremark standard that serves as a potential basis for director and officer liability.

Controls, and measurement and reporting also come directly from Delaware law.  As noted most recently in In re McDonald’s Corporation Stockholder derivative litigation, “another critical part of an officer’s job is to identify red flags, report upward, and address them if they fall within the officer’s area of responsibility.  Once again, pause and envision an officer telling the board that their job did not include any obligation to report or red flags or address them.”

That returns us to the original graphic—the governance process—and why this is the process that should be used.  Here we see one final point—that the process itself is the same no matter the subject matter area.  While the controls are different in other subject areas when the process is keyed to a different subject, the process remains the same.  This also illustrates a common misconception among subject matter experts—controls are not governance.  They are part of governance, but they are not by themselves governance.

Having an understanding of this concept is critical as companies try and build compliant and resilient privacy and cybersecurity programs.

For more information on cybersecurity processes, or how public companies can prepare for compliance, please contact your DLA Piper relationship partner, the authors of this blog post, or any member of our Data Protection team.