On March 12, 2025, the Board of the California Privacy Protection Agency (“CPPA”) issued a decision requiring American Honda Motor Co. (“American Honda”) to change its business practices and pay a $632,500 fine for making it difficult for Californians to exercise their privacy rights. Specifically, the CPPA’s Enforcement Division alleged that the company violated the California Consumer Privacy Act (“CCPA”) and Californians’ privacy rights by:
- “requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt out of sale or sharing and the right to limit;
- using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
- making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and
- sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”
American Honda Motor Co. agreed to “implement a new and simpler process for Californians to assert their privacy rights,” including certification of compliance, employee training, engaging a user experience consultant to evaluate its methods for submitting privacy requests, and changing its contracting process to ensure appropriate mechanisms are in place to protect personal information.
Companies that are subject to the CCPA should consider the actions American Honda was required to take to resolve the CPPA’s allegations. Some of the requirements have straightforward solutions (e.g., symmetrical cookie banner, updates to the user interface, applying Global Privacy Control, and updating the methods for handling data subject requests); however, the requirement that American Honda modify its contract management and tracking process to ensure all required contractual terms are in place with regard to external recipients of personal information within 180 days is cumbersome and may be challenging.
This settlement means that companies subject to the CCPA must review vendor, service provider, subcontractor, and similar agreements that involve the sharing of personal information to ensure adequate protections are in place, whether through an attached data protection agreement or the inclusion of similar clauses in the main agreement. Companies should be aware that the Colorado Privacy Act contains similar contractual requirements.
The narrow investigation into privacy practices for connected vehicles and related technologies was announced on July 31, 2023: CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies. It would be a mistake to assume that the CPPA’s focus will remain this narrow. Also, a data subject complaint to the CPPA, submitted here, could initiate an investigation.
It is easy to determine whether a company has a symmetrical cookie banner, adequate user interface, implemented Global Privacy Control and appropriate methods for handling data subject requests because significant parts of these items are viewable to the public.
We recommend that companies subject to the CCPA take steps to remove visible noncompliance by:
- implementing a symmetrical cookie banner or adding alternative methods as outlined by the California regulations;
- implement the Global Privacy Control for opting out of selling/sharing of personal information (such a universal opt out mechanism is required by many state privacy laws);
- providing appropriate methods for handling data subject requests; and
- implementing a process for handling data subject complaints at the company level.
We also recommend establishing contractual obligations to protect personal information provided to service providers and their subprocessors as required by the CCPA regulations and the Colorado Privacy Act. Understand that these recommendations do not equate to full compliance of the CCPA or any other state privacy law. Reach out to one of the authors for questions on compliance with the CCPA and other state privacy laws.
