Offlist.meby TenX Cold Email
Federal Trade Commission · Announced 2022-10-24

Drizly, LLC

Online alcohol-delivery platform Drizly exposed the personal data of about 2.5 million consumers in a 2020 breach after ignoring known security flaws. Precedent-setting case imposing personal obligations on the CEO.

Case identifiers

Respondent
Drizly, LLC (and James Cory Rellas (CEO))
Agency
Federal Trade Commission
Announced
2022-10-24
Monetary relief
Injunctive only
Case number
FTC File No. 202-3185
Statutes cited
FTC Act § 5

Key facts

  • 1

    Drizly exposed account information of 2.5 million consumers after a 2020 breach.

  • 2

    Company knew of security vulnerabilities since 2018 but failed to remediate or hire a senior security officer.

  • 3

    First high-profile FTC privacy case to name an individual executive personally in the order.

  • 4

    The order follows CEO Rellas to any future company handling significant consumer data.

What the order requires

Injunctive terms imposed by the Federal Trade Commission. These bind Drizly, LLC's data practices going forward.

  • Order applies personally to CEO James Cory Rellas for 10 years at any company where he has a senior role and more than 25,000 consumer records.
  • Required data minimization: destroy information not necessary for an ongoing service.
  • Implementation of multi-factor authentication and a written security program.

Primary sources

Read the original government documents. These are the authoritative records, everything on this page is derived from them.

Exercise your rights now

Generate a deletion request for $5

The FTC order binds Drizly, LLC's future practices, but doesn't automatically delete your existing data. State privacy law (CCPA, CPA, TDPSA, VCDPA) gives you that right. OfflistMe generates a compliant deletion email pre-addressed to Drizly, LLC's registered privacy contact.

Start for $5

FAQ

What did the FTC charge Drizly, LLC with?+

Online alcohol-delivery platform Drizly exposed the personal data of about 2.5 million consumers in a 2020 breach after ignoring known security flaws. Precedent-setting case imposing personal obligations on the CEO. The Federal Trade Commission cited FTC Act § 5.

How much did Drizly, LLC pay?+

The 2022-10-24 order did not include monetary penalties against Drizly, LLC; the agency focused on injunctive relief (prohibiting certain practices going forward).

Does the Drizly, LLC settlement mean my data has been deleted?+

No, the order does not automatically delete your data. You retain full rights under state privacy law (CCPA, CPA, TDPSA, VCDPA, and others) to submit your own deletion request. OfflistMe can generate a compliant deletion email pre-addressed to the respondent’s privacy contact.

How can I read the original FTC order?+

The Federal Trade Commission press release is available at https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million. The case / matter number is FTC File No. 202-3185.

Related enforcement actions

Equifax, Inc. (2019)multi-state · $575,000,000Ring LLC (2023)FTC · $5,800,000Chegg, Inc. (2022)FTC · InjunctiveResidual Pumpkin Entity, LLC (formerly CafePress) (2022)FTC · $500,000T-Mobile USA, Inc. (2024)FCC · $31,500,00023andMe Holding Co. (2025)multi-state · $2,315,000

Related

Full enforcement trackerCCPA + GDPR + BIPA + FTCPublic data brokersSEC-filer indexCalifornia registry566 registered brokers300+ broker directoryCovered brokersWhat is CCPA?Consumer rightsStart for $5Generate opt-out email