Overview
On March 7, 2025, the California Privacy Protection Agency (CPPA) issued a settlement order imposing a $632,500 fine on American Honda Motor Co., Inc. for violations of the California Consumer Privacy Act (CCPA). The CPPA alleged four main violations: (a) requesting too much information to process data subject rights requests, (b) failing to provide “symmetrical” data sale choices, (c) requiring too much authorized agent verification, and (d) failing to execute contracts with advertising technology partners.
Although this action arose from the CPPA’s review of the automotive industry, all companies should determine whether their practices violate similar CCPA requirements.
In Depth
AGENCY’S FINDINGS INDICATE ITS PRIORITIES
The CPPA alleged several CCPA violations.
1. Honda allegedly requested excessive information to process data subject requests.
The CPPA found that Honda (a) requested more information than needed to process “verifiable” requests (such as delete requests) and (b) requested more information than needed to locate an individual for “non-verifiable” requests (such as the right to opt out of selling or sharing and the right to limit sensitive personal information processing). For example, Honda asked consumers to provide nine discrete categories of personal information to verify requests even though only two were needed for “verifiable” requests.
2. Honda allegedly required more steps to opt out of sale or sharing than to opt back in.
Honda allegedly violated the CCPA’s “symmetry in choice” provisions, which require the same number of steps to “opt out” as it takes to “opt in” (i.e., the same number of steps to exercise a more privacy-protective choice as a less privacy-protective choice). To opt out, Honda’s privacy preference center required consumers to (1) turn off the “Advertising Cookies” toggle and (2) confirm their choice. To opt back in, consumers were only required to press an “Allow All” button (i.e., one step to opt in compared to two steps to opt out).
3. Honda allegedly required verification for authorized agent requests to opt out of sale or sharing.
Honda allegedly required each consumer to directly confirm to Honda that the consumer had “authorized” the agent to submit a request to opt out on the consumer’s behalf. Although companies can require direct consumer confirmation for “verifiable” requests to access, correct, or delete data, the CPPA asserted that companies cannot do so for requests to opt out or requests to limit.
4. Honda allegedly failed to execute required contracts with advertising technology partners.
The CPPA also asserted that Honda failed to execute third-party contracts with advertising partners that constituted a sale or sharing. Under the CCPA, contracts are required with both “service providers” (i.e., processors) and “third parties” to whom data is sold with specific terms, including details about the processing.
The order also includes a correct action plan that requires Honda to complete the following tasks within 90 to 180 days (and certify completion of some actions to the CPPA):
- Remediate alleged violations
- Separate online processes for rights requests
- Allow agents to provide a consumer’s contact information
- Add a link to manage cookie preferences within Honda’s privacy center, privacy policy, and in the footer of its privacy policy webpages
- Include a “Reject All” button within Honda’s cookie management platform to provide symmetry in choice with its “Allow All” button
- Allow the Global Privacy Control to also apply to a known consumer
- Consult with a “user experience designer” who must conduct specified testing to evaluate and recommend changes to Honda’s CCPA data subject request process
- Train personnel who are handling CCPA requests on these requirements
- Modify contract management and tracking processes and ensure contracts are executed with all external recipients of personal information
- Post aggregated statistics regarding Honda’s data subject rights responses for five years (and longer if otherwise required under the CCPA).
HOW SHOULD YOU RESPOND?
- Request only data that is needed to locate an individual in your records to process requests to opt out and requests to limit (not data needed to “verify identity” with more certainty as with other rights).
- Require the same number of steps to opt in as it takes to opt out of sale and sharing, particularly in cookie banner and preference centers.
- Do not require consumers to directly confirm an agent’s authority when processing authorized agent requests to opt out or requests to limit
- Review and update contract management and tracking processes and ensure contracts are executed with all third-party recipients on personal information and all third-party advertising technology partners to whom data is sold or shared.
- Ensure Global Privacy Control is applied to all known consumers.
The McDermott team has developed extensive resources to help companies mitigate litigation and regulatory risks, including standard operative procedures, playbooks, and template language. Please reach out to your regular McDermott lawyer or contact the authors if you have questions or need assistance with designing, implementing, testing, or benchmarking your company’s cookie compliance measures.