Morgan & Morgan Pursues DoorDash Data Privacy Claims Over Alleged Unauthorized Tracking by Analytics Firm Amplitude
America’s largest personal injury law firm is pursuing mass arbitration claims on behalf of DoorDash users, alleging that third-party analytics company Amplitude secretly harvested personal data through the food delivery app — without users’ knowledge or meaningful consent.
Morgan & Morgan, the nation’s largest personal injury law firm, is actively pursuing data privacy claims against Amplitude, Inc. — a third-party analytics company embedded within the DoorDash app — on behalf of consumers whose personal data was allegedly collected and transmitted without adequate disclosure or consent.
The analytics company’s technology, integrated into the DoorDash mobile app, allegedly harvests private data including geolocation information and shares it with marketing platforms such as Facebook Ads and TikTok Ads without app users’ consent, according to a federal complaint filed in the U.S. District Court for the Northern District of California (Case No. 3:24-cv-04913). Consumers who used DoorDash on or after January 1, 2023, may be eligible to file a claim, even if their account is no longer active or they were unaware of any data collection at the time.
Quick Case Snapshot
| Field | Detail |
| Claimants / Plaintiffs | DoorDash consumers (individual arbitration claimants represented by Morgan & Morgan) |
| Primary Defendant | Amplitude, Inc. (data analytics company) |
| Secondary Party | DoorDash, Inc. |
| Court | U.S. District Court, Northern District of California |
| Case Number | 3:24-cv-04913 |
| Original Filing | August 2024 |
| Judge | Judge Rita F. Lin (N.D. Cal.) |
| Claims Alleged | Unauthorized data collection, wiretapping violations, privacy law violations (federal and state), failure to disclose data sharing practices |
| Damages Sought | Up to $1,000 or more per eligible claimant under applicable privacy statutes |
| Current Status | Federal judge ruled claims must proceed through arbitration (September 2, 2025); Morgan & Morgan pursuing mass arbitration strategy as of early 2026 |
What the Claims Allege
At the center of this dispute is not a traditional data breach — where hackers break into a company’s systems — but something that many legal experts consider more troubling: the deliberate, systematic collection of personal data by a background software tool that most consumers never knew existed.
Food delivery apps feel seamless to consumers, but a separate layer of technology is often working quietly in the background to analyze how people interact with the app itself. Analytics platforms like Amplitude are designed to help businesses understand user behavior, but their role raises important questions when applied to consumer-facing apps such as DoorDash.
Here is how it allegedly works: DoorDash user activity may be tracked by third-party analytics companies like Amplitude, which can collect detailed information about how users interact with DoorDash through analytics SDKs — software development kits — that operate behind the scenes and can automatically transmit user data such as browsing behavior, ordering patterns, and the precise timing of user actions.
The complaint goes further than simply alleging behavioral tracking. Amplitude’s technology allegedly siphons consumers’ geolocation data and other sensitive information, which it then shares with marketing platforms such as Facebook Ads and TikTok Ads. Amplitude also collects consumers’ names and email addresses, which, together with geolocation data, reveals where users live, work, and travel.
The claims center on whether consumers were properly informed about how their personal information was tracked, stored, or shared. Depending on how consumers used the app, the information at issue may include device identifiers, app usage behavior, interaction data, and other non-public information associated with account activity.
Morgan & Morgan’s legal theory is straightforward: the investigation alleges that sensitive user information was collected or shared without proper consent, and that consumers were not clearly informed how their data was collected, stored, or shared.
The firm is pursuing these claims using a legal strategy called mass arbitration — a powerful tool that has emerged as a consumer protection weapon precisely because companies like DoorDash include mandatory arbitration clauses in their terms of service that prevent users from joining traditional class action lawsuits.
Related article: Tokyo Valentino Lawsuit, Owner Michael Morrison Fights Georgia Counties Over Zoning, Licensing, and First Amendment Rights
Mass arbitration involves filing many individual arbitration claims at once, with each consumer maintaining their own separate claim. Coordinating those claims collectively helps to increase efficiency and accountability, and is especially effective in privacy cases where companies often rely on arbitration clauses to discourage consumers from asserting their rights.
Defendants’ Response
Amplitude has not publicly admitted wrongdoing but has aggressively sought to use legal procedure in its favor. The company argued that the case should be dismissed entirely on the grounds that consumers were not actually harmed by the data collection — a standard defense in privacy litigation.
That argument failed. A federal judge declined to dismiss the case on this basis, writing that the plaintiffs had alleged a concrete privacy harm and had “sufficiently alleged that they did not consent to the dissemination of their private information to Amplitude.”
However, Amplitude did win a key procedural ruling: a U.S. federal judge ruled that DoorDash users can press ahead with their privacy claims against Amplitude, but are bound by the arbitration agreement they signed with DoorDash. In practical terms, this means the claims cannot proceed as a traditional courtroom class action — but Morgan & Morgan’s mass arbitration strategy is specifically designed to work around this limitation.
Judge Rita F. Lin ruled that Amplitude can, as a non-party, enforce the arbitration agreements that users signed with DoorDash — meaning the analytics firm benefits from a contract it was never itself a party to. DoorDash has not filed a separate public response to Morgan & Morgan’s mass arbitration campaign specifically, though the company’s terms of service form the procedural foundation Amplitude is relying upon.
Legal Context
This case sits at the cutting edge of digital consumer privacy law — one of the fastest-evolving areas of U.S. litigation.
Several key legal concepts are at play. Wiretapping statutes, traditionally used in the context of phone surveillance, have been increasingly applied by courts to digital data interception. Plaintiffs argue that Amplitude’s SDK, by silently intercepting user data as it flows through an app, constitutes a form of electronic wiretapping under both federal law (the Electronic Communications Privacy Act) and state statutes — particularly California’s robust privacy laws.
Consent is the other central battleground. Companies routinely argue that users consented to data collection through their acceptance of lengthy terms of service agreements. Plaintiffs counter that consent buried in complex legal documents — for data practices most users never imagined — is not meaningful consent at all.
Privacy claims focus on how personal data was collected, shared, or retained, meaning users do not need to show out-of-pocket financial losses to participate. This is a critical point for everyday consumers: you do not need to have lost money or had your identity stolen to have a valid claim.
The arbitration dynamic in this case also reflects a broader industry pattern. Over the past decade, corporations have increasingly placed arbitration clauses into consumer and employment agreements, often as part of non-negotiable form contracts, requiring consumers to use private arbitration rather than courts.
Almost every type of consumer contract today includes such a clause. Morgan & Morgan’s mass arbitration strategy is a direct response — turning the arbitration system that companies designed to limit liability into a mechanism that can generate thousands of simultaneous individual claims, each with its own filing fees and administrative costs for the company.
Eligible claimants may be entitled to potential statutory damages of up to $1,000 or more per claim under federal and state privacy laws. When multiplied across potentially millions of DoorDash users, the aggregate exposure for Amplitude could be enormous.
Current Status & What Happens Next
The procedural landscape is now largely settled: individual arbitration is the forum, and Morgan & Morgan is moving forward on that basis. The key milestones ahead include:
Individual arbitration proceedings will be initiated for each eligible claimant who signs on with Morgan & Morgan. Each claim is technically separate, but the firm coordinates them collectively to maximize pressure on the defendant.
Eligibility reviews are ongoing. Morgan & Morgan reviews eligibility for free and only gets paid if compensation is recovered, allowing consumers to assert their rights with no financial risk.
Settlement negotiations are a realistic near-term possibility. Companies facing thousands of simultaneous arbitration claims — each carrying individual filing costs — frequently find it more economical to negotiate a global settlement than to fight each claim individually. This is precisely the leverage mass arbitration is designed to create.
For DoorDash users, the window to participate matters: consumers who used DoorDash on or after January 1, 2023, may be eligible, even if their account is no longer active.
FAQs
What exactly is Morgan & Morgan claiming DoorDash and Amplitude did wrong?
The claims allege that Amplitude, a data analytics company, collected and transmitted user data through embedded software in the DoorDash app without adequate disclosure or user consent. The data at issue may include device identifiers, app usage behavior, interaction data, and other non-public information associated with account activity.
Q: Do I need to prove I lost money to file a claim?
No. Eligibility depends on data activity, not proof of financial harm. Privacy claims focus on how personal data was collected, shared, or retained, meaning users do not need to show out-of-pocket losses to participate.
Q: Why isn’t this a class action lawsuit?
A U.S. federal judge ruled that DoorDash users can press ahead with privacy claims, but are bound by an arbitration agreement they signed with DoorDash. This prevents a traditional class action. Morgan & Morgan is responding with mass arbitration — thousands of individual claims filed simultaneously.
Q: How much could eligible claimants receive?
Potential statutory damages may be up to $1,000 or more per eligible claimant under federal and state privacy laws. Final amounts depend on individual circumstances and any negotiated settlement.
Q: Who qualifies to file a claim?
Consumers who used DoorDash on or after January 1, 2023, may be eligible, even if their account is no longer active or they were unaware of any data collection at the time.
Q: What does this case mean for other apps?
The implications extend well beyond DoorDash. Consumers may not realize how many parties are involved in app data collection, making transparency and consent central issues in emerging privacy disputes. A significant ruling or settlement here could reshape how analytics companies operate across the entire mobile app industry.
Last Updated: March 15, 2026
This article is for informational purposes only and does not constitute legal advice. Allegations in a complaint are not findings of fact. All parties are presumed innocent unless and until proven otherwise in court. If you believe you have a legal claim, consult a licensed attorney in your jurisdiction.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah