On March 12, 2025, the California Privacy Protection Agency (CPPA), the enforcement agency for the California Consumer Privacy Act (CCPA), announced a of over $630,000 with American Honda Motor Co. (Honda) for alleged privacy violations. This is the first time the CPPA has fined an automaker since the CPPA announced in July, 2023 that it was reviewing privacy practices related to connected vehicles.
The CPPA’s Order defines four key areas of Honda’s alleged non-compliance:
- Verifying information for requests to opt out/limit sensitive information.
- Verifying information for requests to opt out/limit sensitive information through agents.
- Providing lack of symmetry through the website’s cookie management tool.
- Engaging in insufficient contracts with advertising technology vendors.
This post will walk through each of these issues in turn, providing key takeaways to consider based on the CPPA’s Order.
1. Issue: Verifying Information for Requests to Opt Out/Limit Sensitive Information
The CPPA alleges that Honda’s webform, as depicted in the Order, requires individuals to include information for verification purposes when submitting requests to opt out of sale/sharing or limit the use of sharing sensitive information.
Overview: Per §7060(b) of the California Consumer Privacy Act Regulations (Regulations), there is no verification requirement to process requests to opt-out of the sale/sharing of personal information or for requests to limit the use of sensitive personal information.
The CPPA alleges that Honda’s “Submit A Privacy Request” webform required eight separate data points for a range of data subject access requests (DSARs), including the right to opt out of sale/sharing of personal information and limit use of sensitive information. Covered entities should not require verification before processing the requests.
According to the CPPA’s Order, from July 1, 2023 to September 23, 2023, Honda improperly required at least 119 individuals to provide excessive information and denied at least 20 individuals requests based on unlawful verification standards.
Takeaway:
Under the CCPA, opt out and limit requests are non-verifiable and covered entities should only collect the minimal data points necessary to fulfill the request.
You can learn more about responding to DSARs on our blog.
2. Issue: Verifying Information for Requests to Opt Out/Limit Sensitive Information through Agents
The CPPA alleges that Honda unlawfully required individuals to confirm with Honda directly that they had authorized an agent to submit requests on their behalf to opt out of sales/sharing or to limit use of sensitive information.
Overview: While covered entities may request proof of the individuals’ signed permission for an agent to act on their behalf, this is only permitted by verifiable requests – requests to know, delete or correct information, per §7063(a) of the Regulations.
The CPPA alleges that Honda’s direct confirmation requirement for request to opt out and limit goes beyond what is permitted in the CCPA and Regulations. The Agency alleges that these unlawful practices impacted at least 14 consumers during the reviewed period from July to September 2023.
Takeaway: The CCPA prohibits covered entities from requiring direct confirmation from consumers for non-verifiable requests – even when using an agent to effectuate this request.
Again, as opposed to requiring the same verification standards for all DSARs, covered entities should distinguish which types of requests are verifiable. This may vary between jurisdictions, so be sure to check all applicable laws when building your DSAR playbook. You can refer to our U.S. state privacy law post for relevant jurisdictional thresholds within the US, and covered entities should also consider international laws, like the GDPR, which may impose other DSAR or verification requirements.
3. Issue: Lack of Symmetry on the Website’s Cookie Management Tool
The CPPA alleges that Honda’s cookie management tool (the cookie banner at the bottom of their webpage) required more steps to opt out of sharing than to opt in, violating the symmetrical choice requirements of the CCPA.
Overview: According to the Order, individuals using Honda’s cookie banner needed to complete two steps to disable advertising – a “change” step and a “save” step. However, opting in required a single “change & save” step.
Per §7004(a)(2) of the Regulations, “[t]he path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or more time-consuming than the path to exercise a less privacy-protective option,” because an imbalance in options “would impair or interfere with the consumer’s ability to make a choice.”
According to the examples in the Regulations, “[a]n equal or symmetrical choice [in a website banner] could be between ‘Accept All’ and ‘Decline All.’”
Takeaway: Entities covered by the CCPA should ensure that the process to submit opt out requests – including those through cookie management tools – is no more difficult than the process to opt in.
According to the Regulations, this standard also applies when the individual uses the “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link. The number of steps for submitting a request to opt out is measured from when the consumer first clicks the link to the completion of the request. Similarly, the number of steps to opt in is measured from the first indication the consumer makes of their interest to opt in to the completion of the request.
4. Issue: Insufficient Contracts with Advertising Technology Vendors
The CPPA alleges that Honda failed to produce contracts (such as data protection agreements, or DPAs) that required technology vendors to sufficiently protect consumer information.
Overview: Under the CCPA §1798.100(d), when a covered entity collects a consumer’s personal information and discloses it to a service provider or contractor, the covered entity should enter into an agreement with that party, requiring them to protect the consumer’s personal information.
According to the Order, Honda lacked proper contractual agreements, despite collecting and disclosing individuals’ information with third-party vendors. These vendors included businesses that conducted targeted advertising, which may constitute “selling” or “sharing” personal information under the CCPA. Without agreements with these third-party vendors in place, the CPPA alleges that individuals’ information may be improperly used or shared without sufficient privacy protections.
Takeaway: The CCPA requires covered entities to maintain agreements, such as a DPA, that specify data use limitations, require CCPA compliance, and ensure a certain standard of privacy protection.
If a covered entity is disclosing personal information to third-party vendors, it should ensure that these contracts are in place and meet the law’s requirements.
Conclusion
The Order against Honda serves as a cautionary example for covered entities managing individuals’ information under the CCPA. In addition to the fine, the Order requires Honda to “certify its compliance, train its employees, and consult a user experience (UX) designer to evaluate its methods for submitting privacy requests. Honda must also change its contracting process to ensure appropriate mechanisms are in place to protect personal information.”
Additionally, the CPPA’s head of the Enforcement Division stated that “[the Agency] won’t hesitate to use our cease-and-desist authority to change business practices,” indicating that the Agency is serious about its enforcement authority. By taking proactive steps, covered entities can better protect against regulatory enforcement actions while working to safeguard individuals’ privacy.
