When you order age-restricted products like alcohol, DoorDash may collect and process your government-issued ID and signature. The policy acknowledges this information is treated as sensitive personal data in some states and countries.
This analysis describes what DoorDash's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy identifies government-issued identification and signatures as potentially sensitive personal information and states that consent will be obtained where legally required, but does not specify in detail how consent is obtained or how long this data is retained.
Interpretive note: The policy states consent is obtained where legally required but does not specify the consent mechanism, which makes independent verification of compliance with jurisdiction-specific sensitive data consent requirements uncertain.
If you order alcohol or other age-restricted items, DoorDash may collect and process your government-issued ID document and signature, which the policy classifies as sensitive personal information in some jurisdictions. The policy states this data is used for fraud prevention, age verification, and legal compliance, and is not used to infer personal characteristics.
How other platforms handle this
YOU MUST BE AND HEREBY AFFIRM THAT YOU ARE AN ADULT OF THE LEGAL AGE OF MAJORITY IN YOUR COUNTRY OR STATE OF RESIDENCE. If you are under the legal age of majority, your parent or legal guardian must consent to this agreement.
Replit is not directed to children under the age of 13. If you are under 13 years of age, you are not permitted to use the Services. If we learn that we have collected Personal Information from a child under age 13, we will take steps to delete such information from our files as soon as possible.
Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will take steps to delete such information. In some juris...
Monitoring
DoorDash has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Identification Documentation and Signature for Age-Restricted Products, including driver's license or other government issued identification documents, which we may process in limited circumstances such as an order for an age-restricted product (such as alcohol) or other products that require age and/or identity verification and for legal and regulatory compliance. Some of the information identified above that you choose to provide us (specifically, government issued identification and your signature, which we receive when we verify age and identity and the authenticity of a submitted government issued ID for certain orders (such as alcohol orders) to prevent fraud and demonstrate legal and regulatory compliance and precise location information, which we receive to facilitate deliveries and certain content, features and functionality within our Services), may be considered sensitive Personal Information under the laws of some jurisdictions.— Excerpt from DoorDash's DoorDash Privacy Policy
REGULATORY LANDSCAPE: Government-issued identification data is classified as sensitive personal information under the CCPA and CPRA, Colorado Privacy Act, Connecticut Data Privacy Act, and Virginia CDPA. Processing of such data may also implicate state biometric privacy laws where ID verification involves facial recognition or biometric matching. The FTC and state attorneys general have enforcement authority over misrepresentations regarding sensitive data handling. GOVERNANCE EXPOSURE: High. The collection of government-issued ID documents constitutes sensitive personal information processing in multiple jurisdictions. The policy states consent is obtained where legally required but does not specify the consent mechanism, data retention period, or the specific third-party identity verification services used. Compliance with applicable consent and data minimization requirements should be independently verified. JURISDICTION FLAGS: Illinois Biometric Information Privacy Act (BIPA) may be implicated if identity verification involves biometric data extraction from ID documents. California CPRA requires opt-in consent for sensitive data processing. Texas and Washington have analogous biometric and sensitive data frameworks. International users in Canada, Australia, and New Zealand are also covered by sensitive data provisions under their respective privacy laws. CONTRACT AND VENDOR IMPLICATIONS: Third-party identity and age verification vendors must be subject to data processing agreements limiting use to the stated purpose. Contracts should specify retention periods and require deletion of ID data after verification is complete. Vendor security certifications should be assessed given the sensitivity of the data category. COMPLIANCE CONSIDERATIONS: Legal teams should confirm that consent mechanisms for ID document collection are jurisdiction-specific and auditable. Retention schedules for government ID data should be documented and enforced. The identity verification vendor list should be reviewed to confirm all processors are disclosed and compliant. A data protection impact assessment may be warranted for this processing activity in certain jurisdictions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy identifies government-issued identification and signatures as potentially sensitive personal information and states that consent will be obtained where legally required, but does not specify in detail how consent is obtained or how long this data is retained.
If you order alcohol or other age-restricted items, DoorDash may collect and process your government-issued ID document and signature, which the policy classifies as sensitive personal information in some jurisdictions. The policy states this data is used for fraud prevention, age verification, and legal compliance, and is not used to infer personal characteristics.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by DoorDash.