On March 12, 2025, the California Privacy Protection Agency (the “Agency”), in its first order of decision (the “Final Order”) under the California Consumer Privacy Act of 2018 (as amended, the “CCPA”) [1], fined American Honda Motor Co., Inc. (“Honda”) $632,500 for CCPA violations involving opt-out requests, advertising cookies, and agreements with third-party data processors.
Executive Summary
Given that the Agency concluded that fewer than 200 California residents (here, “consumers”) were impacted by the CCPA violations, the $632,500 fine is remarkable. The Agency’s key findings included: (1) Honda used the same webform for consumers to verify their identity regardless of the type of CCPA request, impeding the consumer’s request and resulting in Honda collecting more personal information than necessary; (2) Honda’s website cookie management tool did not provide consumers with a “symmetrical” choice—Honda required multiple steps for consumers to decline cookies, whereas the default setting accepted all cookies; and (3) Honda could not produce the contracts it signed with technology advertising companies who processed personal information on its behalf to prove that they were CCPA compliant.
Key Takeaways/Findings
1. Businesses Should Not Seek to “Verify” Right to Limit or Right to Opt-Out Requests
The CCPA requires businesses to “verify” consumers who exercise the right to delete, access, or correct their personal information, but prohibits verification for consumers who seek to exercise their rights to opt out of the sale/behavioral profiling (sharing) of their personal information or limit the processing of their “sensitive” personal information—the need for verification is less important there, because an imposter is less likely to submit these types of requests. Honda used the same webform on its website to handle all CCPA consumer requests, and by doing so, required consumers to verify requests for which verification is prohibited as per the above. Further, Honda required consumers to verify that authorized agents were permitted to act on their behalf for exercising the above opt-out rights, when the CCPA does not require such verification.
2. Businesses Must Offer “Symmetry in Choice” in Cookie Management Tools[2]
Under the CCPA, businesses must provide methods for submitting CCPA requests that are “easy to understand” and offer “symmetry in choice,” which means that the privacy-protective option cannot be longer or more difficult or time-consuming. Honda’s website cookie management tool, which allows consumers to turn off advertising cookies on its website, contained several asymmetrical choice options. First, a “confirm my choices” button was enabled by default when all cookies were enabled, but a “decline all cookies” button was not available. Second, turning off advertising cookies required two steps, versus just one to turn them on. Third, if consumers returned to the cookie management tool after turning off the advertising cookies, a new “allow all” choice appeared.
3. Businesses Must Enter Into CCPA Compliant Contracts With Processors
Covered businesses must enter into CCPA-compliant contracts with service providers, contractors, and third parties (as such terms are defined by the CCPA) who process their personal information. Although Honda disclosed and shared personal information with advertising technology companies, Honda could not produce contracts it had executed with them.
Action Items
The Final Order underscores that the Agency and California Attorney General remain active in their CCPA enforcement efforts, and the penalties for non-compliance are severe. Besides the $632,500 fine, the Agency required Honda, within 90-180 days, to (i) revise its methods for submitting CCPA requests; (ii) consult a user experience designer to evaluate its methods for submitting CCPA requests; (iii) modify its contracting process to ensure that CCPA-compliant contracts are in place with “all external recipients of Personal Information”; and (iv) post metrics concerning its consumer request processing on its website for a period of five years. Businesses that are subject to the CCPA should:
- review their procedures for consumers to exercise all of their rights under the CCPA;
- confirm that their systems are updated to recognize “opt-out” preference signals;
- review their use of cookie management tools or “cookie banners,” including to ensure “symmetry in choice;” and
- ensure that all data processing contracts comply with the CCPA.
[1] Cal. Civ. Code § 1798.100 et seq.
[2] The Agency Enforcement Division issued an Advisory on September 4, 2024, warning businesses to avoid the use of “dark patterns” and to ensure that their user interfaces provide consumers with symmetrical privacy choices and use language that is clear and easy to understand.