The California Privacy Protection Agency Announces Its First Enforcement Settlement Against Honda

On March 12, the California Privacy Protection Agency (CPPA) announced the first settlement reached under its jurisdiction to enforce the California Consumer Privacy Act (CCPA). This settlement, with American Honda Motor Co. Inc. (Honda), follows the CPPA’s investigation into manufacturers of connected vehicles – a term that covers any vehicle equipped to capture personal information, such as geolocation, driving behavior or biometric data – that began in July 2023.

The stipulated order found four CCPA violations by Honda as described below. Honda agreed to pay a $632,500 penalty, implement simpler processes for consumers to submit privacy rights requests, train its employees on CCPA compliance, ensure it has contracts in place to protect the consumer data that it shares or sells, and certify its compliance to the CPPA for the next five years.

First, Honda demanded more personal information from consumers than necessary to exercise their privacy rights. The CCPA requires businesses to verify requests to delete, correct or know what personal information the business has collected, in order to avoid the potential harm that processing a fraudulent request might cause. However, requests to opt out of the sale or sharing of personal information (Requests to Opt-Out), or to limit the use of sensitive personal information (Requests to Limit), do not require verification. According to the CPPA, “Honda generally needs only two data points” to identify a consumer and comply with a Request to Opt-Out or a Request to Limit, and the potential harms caused by a fraudulent submission of these requests are minimal. Honda failed to distinguish between requests that require verification and those that don’t, instead requiring consumers to submit at least eight data points of additional personal information before processing any privacy rights request.

Second, the CPPA found Honda inhibited authorized agents from submitting Requests to Opt-Out or Requests to Limit on a consumer’s behalf by requiring those consumers to directly confirm that they authorized the request. According to the CPPA, businesses may ask an authorized agent to provide the consumer’s signed permission, demonstrating that they have been authorized to act on the consumer’s behalf, and may contact the consumer directly to confirm such authorization only for verifiable requests to delete, correct or know. But businesses may not require the consumer to directly confirm that they have authorized an agent to submit Requests to Opt-Out or Requests to Limit. Requiring direct confirmation of authorization to submit such requests may hinder a consumer’s use of third-party tools that streamline the process for opting out across multiple websites with a single action, making it harder to exercise privacy rights.

Third, Honda improperly provided an asymmetrical choice for opting in and out of advertising cookies. The CCPA requires that it be no longer, more difficult or more time-consuming for a consumer to select a more privacy-protective option than to select a less privacy-protective option. Honda contracted with third-party compliance vendor OneTrust to provide a cookie management tool for its websites. This tool required two steps to turn off advertising cookies (first a “decline” button, then a “confirm my choices” button), but only one step to opt back in (an “accept all cookies” button). The order also states: “A website banner that provides only two options when seeking Consumers’ consent to use their Personal Information – such as “Accept All” and “More Information,” or “Accept All” and “Preferences” – is not equal or symmetrical.” Website operators and compliance vendors are on notice that the CPPA considers even a one-click discrepancy to be a CCPA violation. 

Finally, Honda failed to produce contracts with third parties to whom it sold consumers’ personal information. The CCPA requires businesses that share or sell personal information to enter into agreements that, among other provisions, identify the limited and specific purposes for which the recipient may use the information and also require the recipient to comply with the CCPA, respond to privacy rights requests and adequately protect the information. Based on the CPPA’s order, Honda was unable to produce such contracts.

Of the $632,500 total fine that Honda must pay, the order states that “$382,500 accounts for Honda’s conduct toward” 153 consumers whose privacy rights requests were impacted by Honda’s request verification process. This equates to $2,500 per consumer, which is the statutory penalty provided by the CCPA for each non-willful violation. Thus, it appears Honda agreed to pay an additional $250,000 penalty for its remaining violations.This figure is important because it indicates that the CPPA may consider limiting its tally of total “violations” by the number of consumers affected, rather than counting multiple similar infractions against the same consumer as multiple discrete “violations,” which could severely increase the penalty.

We will continue to monitor these and other developments related to privacy and data security. Please reach out to Kramer Levin’s Privacy, Cybersecurity and Data Innovation group for more information.