Food delivery company DoorDash agreed to pay a $375,000 fine as part of a settlement announced by California Attorney General Rob Bonta addressing alleged violations of the California Consumer Privacy Act (CCPA).

The enforcement action, announced Wednesday, is the second to be levied publicly since the CCPA took effect in January 2020. The first action came down more than one year ago, when Sephora was assessed a $1.2 million penalty in August 2022 for violating the consumer privacy law.

Regarding DoorDash, the attorney general alleged the company ran afoul of the CCPA and the California Online Privacy Protection Act (CalOPPA) in relation to its participation in a marketing cooperative that saw it share customer personal information with other companies in exchange for advertising opportunities.

The details: During the first month the CCPA was effective, DoorDash disclosed California customer personal information, including names, addresses, and transaction histories, to other businesses in the cooperative so it could market its services to the customers of the other businesses, according to a complaint.

Bonta’s office found this activity violated the CCPA’s requirements for businesses that sell personal data and that DoorDash failed to properly remedy the issue during the then-allowed cure period. The company “could not determine which downstream companies had received its data so that it could contact each company to request that it delete or stop further selling the data,” per the complaint.

The company’s alleged violations of CalOPPA related to its failure to note the type of information disclosed in the cooperative in its privacy policy.

“I hope [this] settlement serves as a wake-up call to businesses: The CCPA has been in effect for over four years now, and businesses must comply with this important privacy law,” said Bonta in a press release. “Violations cannot be cured, and my office will hold businesses accountable if they sell data without protecting consumers’ rights.”

Compliance considerations: The settlement requires DoorDash to review its contracts with marketing and analytics vendors and its use of technology to determine whether it is selling consumer personal information. The company must certify its compliance to the attorney general annually for a period of three years.

For its part, DoorDash said the cooperative it participated in breached contract by failing to delete California customer data upon request.

Company response: “DoorDash ended its relationship with all marketing cooperatives in 2020, and we’re pleased to have resolved this years-old matter,” said DoorDash Spokesperson Parker Dorrough in an emailed statement. “This settlement arises out of a single incident involving a vendor over four years ago, the same month the California Consumer Privacy Act went into effect, and the terms reflect our good faith and deep commitment to privacy.”