CCPA Radar tracks publicly announced enforcement actions, settlements, and penalty decisions under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Its purpose is to provide a clear, practical view of how California regulators interpret and enforce privacy obligations in real cases.
The radar brings together key information on enforcement trends, including the regulator, the organization involved, the amount of the penalty, the legal basis of the violation, and the core compliance issues identified in each matter. By presenting these cases in one place, CCPA Radar helps privacy, legal, compliance, and security teams better understand which failures most often lead to regulatory action.
More than a list of fines, CCPA Radar is designed as a working compliance resource. It shows how regulators approach topics such as opt-out mechanisms, dark patterns, children’s data, privacy notices, vendor contracts, and the technical implementation of consumer rights. This makes it easier to translate enforcement activity into concrete lessons for internal privacy governance and risk management.
DoorDash, Inc.
Penalty:
375,00 USD
Sale through a marketing cooperative without proper notice and opt-out
Core issue:
February 21, 2024
Date:
Main public findings:
California DOJ announced that DoorDash sold California customers' personal information through participation in a marketing cooperative without providing notice or an opportunity to opt out. DOJ treated participation in that cooperative as a sale under the CCPA.
Cause of the violation:
Core issue:
Recommendations:
Source:
DoorDash exchanged customer data in a cooperative marketing arrangement that enabled mutual marketing benefits, but it did not provide consumers with the disclosures and opt-out rights required for that type of sale.
Sale through a marketing cooperative without proper notice and opt-out
Map all outbound data-sharing arrangements; assess loyalty, affiliate, and cooperative marketing programs under CCPA sale/share definitions; provide clear notice and opt-out rights before participating in such programs; review partner contracts and actual data flows regularly.