On March 7, 2025, the California Privacy Protection Agency (CPPA) reached a settlement with American Honda Motor for violating the California Consumer Privacy Act (CCPA). The ruling is based on Honda’s practices in handling consumer privacy requests and its sharing of personal information for advertising.
This ruling from the CCPA makes it clear that simply adding a consent banner to your website isn’t enough for compliance. Businesses must ensure that the banner is properly configured, and that all necessary data handling processes and contracts are in place. Getting consent to work correctly is easier said than done, but I’ll get to that in a minute. Here are the alleged violations:
- Excessive Data Collection for Opt-Out Requests. Honda required consumers to provide more personal data than legally necessary (e.g., full address, email, phone number) to opt out of the sale/sharing of their personal information or to limit use of sensitive info. The law prohibits businesses from requiring identity verification for these types of requests, a practice often used in the past by many businesses, but no longer allowed by the CCPA. Honda used the same process for requests that required verification and those that did not. To process a request, the same information was requested for both types of requests.
- Asymmetric Cookie Opt-Out Mechanism On Honda’s websites, opting out of tracking cookies took more steps than opting in (e.g., two clicks to opt out vs. one click to “Accept All”). This violated CCPA’s “symmetry in choice” requirement, designed to ensure opt-in and opt-out are equally accessible.
- Improper Handling of Requests from Authorized Agents. Honda wrongly required consumers to directly confirm they had authorized a third party to submit opt-out/limit requests on their behalf, which is not allowed under the CCPA. Consumers have the right to appoint a third party (an authorized agent) to submit requests on their behalf, such as opting out of data sharing. However, Honda incorrectly required consumers to directly confirm that they had authorized the agent to act on their behalf. This additional confirmation step is not allowed under the CCPA, as it creates an unnecessary barrier to exercising consumer rights.
- Missing Contracts with Ad Tech Vendors. Honda shared personal data with advertising technology partners without required contracts that limit data use and ensure CCPA compliance, putting consumer data at risk.
Penalties and Orders
Honda agreed to pay a $632,500 administrative fine, with $382,500 attributed to specific consumer harm. This works out to a fine of ~$2500 per user who faced difficulties to opt out explicitly prohibited by the CCPA. Honda also agreed to privacy practice changes within 90-180 days:
- Revise its opt-out/limit request process to collect only the minimum data required.
- Update cookie management to provide a “Reject All” option alongside “Accept All.”
- Provide separate forms for different types of consumer requests based on whether verification is required.
- Apply Global Privacy Control (GPC) signals to known users.
- Consult a UX designer to ensure ease of use and clarity.
- Train staff on CCPA compliance.
- Implement a contract management process for third-parties receiving Honda data.
Next Steps to Avoid These Risks
To mitigate the risk of penalties for non-compliance with CCPA requirements, businesses should take the following steps:
- Minimize data for opt-out requests. Only ask for the minimum information necessary to fulfill consumer personal information requests, and verify identity only when required and permitted by law.
- Ensure symmetrical choices. Evaluate the opt-in and opt-out processes for using personal information, particularly with cookies. Opting out should be as easy as opting in. Honda was using the Onetrust CMP. Using a CMP doesn’t eliminate privacy consent risk unless configured correctly.
- Check authorized agency processing. Ensure that a person or business that a consumer designates, can act on their behalf when making privacy-related requests. This means businesses cannot require direct confirmation in a way that creates an unnecessary barrier.
- Review third-party contracts. Check contracts with any third party receiving data from your site to ensure they include necessary provisions for how they can use the data and obligate them to comply with the law.
In addition to following these steps, maintaining your consent manager properly is often significantly more complicated than expected. The majority of websites would not stand up to the test that was used to assess this fine with Honda. Missing third parties, incorrect categorization, and third parties served incorrectly even after a user selects “Reject All” are a few of the most common issues. Avoiding these issues requires constant diligence.
Outcome
Honda did not admit liability but agreed to the findings and to implement the orders. The ruling resolves the CPPA’s investigation, contingent on Honda complying with all terms, including reporting and implementation deadlines. The decision sets a strong precedent on enforcement of consumer rights and user-friendly privacy design. It also points to the need for continuous monitoring by a tool like PrivacyEdge. Learn more by scheduling a free consent analysis from LOKKER.
