On March 7, 2025, the California Privacy Protection Agency (“CPPA”) entered into a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”) settling alleged violations of the California Consumer Privacy Act (“CCPA”). The settlement requires Honda to pay a $632,500 fine and implement changes to consumer rights request processes under the CCPA. (Honda neither admitted nor denied the bulk of the agency’s findings, and did not admit liability to any violation of the law).
The decision focused on three issues, as further described below: (i) processes for complying with consumer requests to opt out of the sale or sharing of personal information, or to limit the use of sensitive personal information; (ii) providing consumers with symmetrical choice in opt-out tools; and (iii) ensuring that CCPA-required third party agreements are in place when personal information is shared or sold.
The Allegations: Providing Consumers With Sufficient Privacy Choices
The CPPA’s investigation of Honda’s practices during 2023 and 2024 led to the following allegations:
Overly Burdensome Opt-Out Processes:
The CCPA prohibits businesses from requiring a consumer to verify their request to (i) opt out of the sale or sharing of personal information or (ii) limit the use of sensitive personal information (“Opt-Out Requests”). CCPA Code Regs. tit. 11, §§ 7026(d), 7027(e), 7060(b). According to the Order, Honda’s online “Privacy Center” required consumers to provide more information than was necessary when submitting Opt-Out Requests. By mandating at least eight data fields—including name, full address, email, phone number and VIN number—for all CCPA requests, including Opt-Out Requests, through a single webform, Honda allegedly applied an unlawful verification standard to these non-verifiable requests. (Order ¶ 42.)
The CPPA suggested that Honda generally only needed as few as two data points to identify a consumer in its database (though it did not suggest which combination of data points would have been sufficient). But its primary concern was that by “requir[ing] the matching of more than two data points provided by the Consumer to information within its database before processing the Consumer’s Requests to Opt-Out of Sale/Sharing and Requests to Limit[,] Honda essentially requires Consumers to Verify themselves before processing these requests.” (Order ¶ 42.)
In the CPPA’s view, these additional information requirements functionally amounted to a “verification” requirement – contrary to the CCPA rules. It was presumably the mandatory nature of these fields that concerned the CPPA – i.e., amounting to effective “verification” — rather than the mere fact that Honda provided an ostensibly comprehensive set of opt-out choices.
Same Standard Applied to Authorized Agents.
The CPPA applied this same reasoning to Opt-Out Requests from authorized agents – these, too, must be honored without verification. (Order ¶ 49.) While businesses can request that authorized agents provide signed permission from the consumer on whose behalf they are making the request, Honda took the extra step of contacting the consumer directly to confirm permission. This is allowed for verifiable consumer requests, but not permitted for Opt-Out Requests.
Lack of “Symmetrical Choice” in Cookie Management:
Notably, the CPPA also took issue with alleged asymmetry between the opt-in and opt-out choices of Honda’s cookie management tool. Specifically, opting out of Advertising Cookies required two steps: (1) toggling off the cookies; and (2) clicking “Confirm My Choices.” To opt back in to Advertising Cookies, however, a consumer only needed to click one button, “Allow All.”
This was surprising because Honda’s website appeared to have a state-of-the-industry cookie consent banner (which is not generally required under most circumstances) as well as a state-of-the-industry opt-out tool – which for purposes of transparency divided cookies into “functional,” “performance,” and “advertising” cookies. Each type of cookie was categorized and described, and each permitted a distinct opt out – i.e., a consumer could opt out of one but not the other. (A separate set of “strictly necessary” cookies was always on.) Yet the CPPA held that this two-click process did not provide “symmetry in choice” because consumers opted in with a single click:
“Symmetry in choice means that the path for a Consumer to exercise a more privacy-protection option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the Consumer’s ability to make a choice. [Cal. Code Regs. tit. 11], § 7004(a)(2).”
(Order ¶ 60.) The Order then noted that “[a]n equal or symmetrical choice, by contrast, could be between ‘Accept All’ and ‘Decline All.’” Order ¶ 62 (citing § 7004(a)(2)(C).) While this reasoning may be technically correct, it places form over substance, and over benefits to consumers: the Order reasons that it would have been preferable for Honda to provide consumers with a single opt-out choice, requiring them to accept a less functional website if they wished to opt out of targeted ads. This is not a consumer-friendly result. By the same token, the Order’s rationale incentivizes website controllers to simply omit consent banners (which provide useful consumer transparency), thus sidestepping the “symmetry” issue altogether.
Failure to Implement Adequate Vendor Contracts:
Finally, the Order alleges that “[d]espite Collecting, Selling, Sharing, and disclosing Personal Information with these advertising technology companies, Honda could not produce contracts with these advertising technology companies.” (Order ¶ 69.) Section 7053 of the CCPA regulations mandates that businesses sharing or selling personal information with a third party enter into an agreement with that third party containing specific provisions related to CCPA compliance.
It is unclear what type of ad tech relationships Honda had, or why it could not produce or obtain copies of those contracts. It is possible that the allegations simply indicate poor record-keeping by Honda rather than a more substantive failure. However, to the extent that the Order suggests that a website must contract with all downstream entities engaged in (for instance) retargeting a website visitor, this will be problematic for publishers and advertisers engaged in cross-contextual behavioral advertising, including real-time bidding and retargeting.
These parties commonly enter into agreements with a single downstream entity (for instance, a supply side or retargeting platform) but not each downstream entity – the latter being impractical. An effort by the Interactive Advertising Bureau to obtain mass agreement by publishers and ad tech platforms to a single agreement failed to achieve universal acceptance: if the Order is read as effectively requiring such a universal effort, the IAB’s efforts may be invigorated.
The Order: Penalties and Required Remedial Actions
Beyond the monetary penalty of $632,500, the Order mandates a significant number of corrective actions, including:
- Streamlined Opt-Out Processes: Honda must revise its Opt-Out Request submission methods to require a consumer provide only that information necessary to process such requests. (Order ¶ 77(a))
- Proper Handling of Authorized Agent Requests: Honda is prohibited from requiring consumers to directly confirm authorized agent Opt-Out Requests. (Order ¶ 77(b))
- Separation of Request Mechanisms: Honda must separate its (online) methods for submitting opt-out/limit requests from those for “verifiable” consumer requests (e.g., access, correction, deletion). (Order ¶ 77(c)(1))
- Improved Authorized Agent Submissions: Honda’s process for authorized agents must be updated to require authorized agents to provide their own contact information in addition to the consumer’s. (Order ¶ 77(c)(2))
- Enhanced Cookie Management: Honda must integrate the link to manage cookie preferences within its Privacy Center, Privacy Policy, and website footer. Furthermore, its cookie management platform (“CMP”) must include a “Reject All” button to ensure symmetry of choice with the “Allow All” option. (Order ¶ 77(c)(3)–(4))
- Global Privacy Control Recognition: Honda is required to recognize the Global Privacy Control (“GPC”) to known consumers. (Order ¶ 77(c)(5))
- User Experience Review: Honda must consult a user experience (“UX”) designer to evaluate and provide recommendations on making its CCPA request methods easy to use. (Order ¶ 79)
- Updated Personnel Training: All personnel handling CCPA requests must receive updated training on relevant CCPA requirements. (Order ¶ 80)
- Strengthened Contract Management: Honda must modify its contract management process to ensure its agreements with external recipients of personal information include the necessary CCPA terms. (Order ¶ 81)
- Annual Metrics Reporting: For five years and as required by the CCPA thereafter, Honda must annually post metrics related to CCPA requests on its website. (Order ¶ 82)
Key Takeaways
This action demonstrates that the CPPA is actively scrutinizing how businesses handle consumer privacy rights, and intends to be prescriptive regarding how businesses comply with statutory requirements.
Key Lessons from this Case Include:
- Differentiate Verifiable and Non-Verifiable Requests: Businesses must have distinct and statutorily compliant processes for handling different types of CCPA requests, and must avoid applying verification requirements to Opt-Out Requests.
- Recognize Authorized Agents: The rights afforded to consumers extend to their authorized agents, and businesses must ensure their processes accommodate these agents without imposing unlawful requirements, like direct consumer confirmation, for non-verifiable requests.
- Evaluate Symmetry of Choice: When offering consumers choices regarding their personal information, especially in the context of cookie consent, the options presented should be equally accessible and require a similar level of effort. If relying on a CMP to facilitate opt-outs, businesses should evaluate appropriate language and configurations to ensure consumers can opt-in and opt-out with equal effort.
- Implement Robust Vendor Contracts: Businesses that share personal information with third parties, particularly ad tech vendors, must have legally sound contracts in place that adhere to the CCPA’s requirements. It remains to be seen, however, how prescriptive the CPPA will be in interpreting and enforcing this requirement as it relates to data sharing with numerous downstream parties, for cross-contextual behavioral advertising.
