Data Sharing with Advertising Partners

What it is

DoorDash shares your data with outside advertising companies so they can show you targeted ads, and this practice counts as selling or sharing your data under California law.

Why it matters (compliance & governance perspective)

The clause establishes a data-sharing practice with external advertising entities and acknowledges regulatory classification of this sharing under state privacy frameworks. This operational practice creates a direct data flow to advertising partners outside DoorDash's direct control.

Consumer impact (what this means for users)

This provision means your personal information, including purchase history and inferred preferences, may be transferred to advertising partners who can use it for cross-site tracking and ad targeting, unless you affirmatively opt out through DoorDash's privacy settings.

What you can do

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: Under CPRA, sharing personal information with third parties for cross-context behavioral advertising qualifies as a 'sale' or 'sharing' even without monetary exchange, triggering opt-out rights and the requirement to honor Global Privacy Control signals. The FTC has indicated that cross-context behavioral advertising data flows are subject to scrutiny under unfair or deceptive practices authority. Virginia CDPA, Colorado CPA, and Connecticut CTDPA each provide opt-out rights for targeted advertising. 2. GOVERNANCE EXPOSURE: High. The breadth of data potentially shared (order history, location, device identifiers) combined with the acknowledgment that this may constitute a CPRA sale or sharing creates significant compliance obligations including opt-out infrastructure, vendor contracting, and annual disclosure requirements under CPRA. 3. JURISDICTION FLAGS: California presents the highest exposure due to CPPA enforcement of CPRA's sale and sharing opt-out requirements. States with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, Florida) each provide targeted advertising opt-out rights that must be honored. EU and UK users would require a separate lawful basis analysis; DoorDash's primary operations in these jurisdictions may not be covered by this policy. 4. CONTRACT AND VENDOR IMPLICATIONS: Each advertising partner receiving data qualifying as a sale or sharing must be documented in a public 'Do Not Sell or Share' disclosure. Procurement teams should confirm that ad tech vendors are not receiving data categories that trigger sensitive information restrictions under CPRA, particularly precise geolocation or inferred health or financial information derived from order patterns. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm GPC signal recognition is implemented at the technical level and that the opt-out covers all advertising SDKs and pixels embedded in the DoorDash app and website. Annual CPRA data rights disclosures must enumerate categories of personal information sold or shared and recipient categories. Cookie banner and consent management platforms should be audited to ensure opt-out signals propagate to all downstream advertising partners.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Precise Geolocation Collection medium
• California Resident Privacy Rights (CPRA) medium
• Data Sharing with Merchants and Dashers medium
• Retention of Personal Information low
• Collection of Payment and Financial Information low
• Use of Cookies and Tracking Technologies medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.