Continuing its self-described “commercial surveillance crackdown,” the Federal Trade Commission hit online alcohol marketplace Drizly and its CEO, James Corey Rellas, with an enforcement action early last week.

The regulatory agency alleged that Drizly and Rellas failed to appropriately safeguard its consumer data in spite of being alerted to gaps in security two years prior to a recent data breach, which resulted in the exposure of 2.5 million consumers’ personal information. The order requires the company to destroy all unnecessary data, restricts what information the company can collect going forward—otherwise known as “data minimization”—and binds Rellas to certain data security requirements, according to a FTC press release.