Insights

PUB  California and FTC Announce Enforcement Act

California and FTC Announce Enforcement Actions Involving the Sale of Personal Information

In two back-to-back announcements, California and the FTC reemphasized their enforcement efforts related to the sale of personal information.

On February 21, 2024, California Attorney General ("AG") Rob Bonta announced that the app-based food delivery service DoorDash had agreed to a $375,000 settlement to resolve claims that the company violated the California Consumer Privacy Act ("CCPA") and California Online Privacy Protection Act ("CalOPPA"). DoorDash allegedly violated the CCPA and CalOPPA by selling consumers' personal information without informing them that it sold their information and by failing to provide the consumer with an opt-out right. This settlement marks the second time California's AG has publicly enforced CCPA protections related to the "sale" of consumers' personal information—signaling that this is a top enforcement priority.

According to the California AG, DoorDash had shared California customers' personal information (such as names, addresses, and transaction histories) to a marketing cooperative in exchange for the ability to market its services to customers of other participating businesses. The California AG used the broad definition of "sale" in the CCPA to argue that DoorDash's conduct violates the CCPA's prohibition on "sales" of personal information because DoorDash traded personal information in exchange for the benefit of being able to advertise to potential new customers. 

The very next day, the Federal Trade Commission ("FTC") announced that it will require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing consumer web browsing data. The FTC's administrative complaint alleges that Avast and its subsidiaries collected and sold consumers' browsing information without informing consumers and despite touting the privacy and security features of its products. The complaint further alleges that Avast falsely claimed that it only sold consumers' information in aggregate and anonymous form. In reality, the FTC alleges, Avast sold data with unique and persistent identifiers that provided sufficient details to identify individual users. 

These two recent enforcement actions illustrate that regulators are closely scrutinizing transactions involving the sharing and selling of consumers' personal information. Businesses participating in marketing cooperatives or otherwise engaged in other data-sharing relationships should carefully review their practices, update their privacy policies to provide notice to consumers, and provide opt-outs. 

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.