On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co. (Honda) over alleged violations of the California Consumer Privacy Act (CCPA). The CPPA investigated Honda as part of its investigative sweep into the data privacy practices of connected vehicles and related technologies, announced in July 2023. The CPPA specifically alleged, among other things, that Honda engaged in practices that made it difficult for Californians to exercise their out-opt rights and shared consumers’ personal information with ad tech service providers without proper contractual protections.
Although this enforcement action was born out of the CPPA’s investigative sweep into connected vehicle manufacturers, the complaint and settlement serve as a warning to all businesses to ensure that their consumer request mechanisms and contracts are CCPA compliant. This alert provides a high-level summary of the complaint, settlement, and key takeaways for businesses.
CPPA’s Factual Findings in the Order
The CPPA alleged the following CCPA violations in the order:
- Unlawful Verification of Consumer Requests to Opt Out and Limit. Under the CCPA, consumers have the right to opt out of the sale of personal information or “sharing” of their personal information for cross-context behavioral advertising, and to request that the business limit the use and disclosure of their sensitive personal information (“Request to Limit”). The CCPA also provides consumers with rights to request to know, correct, and delete their personal information. Businesses can request information from a consumer to verify their identity for requests to know, delete, and correct their data, but not for requests to opt out or limit. The CPPA alleged that Honda unlawfully required consumers to provide several data elements to verify their requests to opt out or limit by using the same webform to process all types of consumer requests. Specifically, Honda’s webform allegedly required consumers to provide their first name, last name, address, city, state, zip code, email, and phone number for requests to opt out or limit, which the CPPA alleged was more information than Honda needed to process those types of requests.
- Unlawful Request for Direct Consumer Confirmation of Authorized Agent. The CCPA also permits consumers to submit requests through authorized agents. For agent requests to know, delete, or correct the consumer’s data, businesses can require the consumer to directly confirm that they provided the agent permission to submit the request, but businesses cannot ask for this confirmation for requests to opt out or limit. The CPPA alleged that Honda unlawfully required consumers to directly confirm that they gave permission to their agent to submit their requests to opt out or limit by using the same webform to process all types of consumer requests. Specifically, after their agent submitted a request on their behalf, Honda allegedly either emailed or mailed consumers about their requests to opt out or limit and asked consumers to confirm their requests to opt out or limit.
- Asymmetrical Advertising Consent Banner Choices. The CCPA requires businesses to implement symmetrical consumer choice mechanisms, meaning that businesses cannot require consumers to take more steps to opt out of the sale of personal information than are required to opt in. The CPPA alleged that Honda had configured its third-party cookie management tool, powered by OneTrust, to impermissibly require consumers to take two steps to opt out, yet only one step to opt in. Specifically, consumers had to toggle off Advertising Cookies and click “Confirm My Choices” to opt out, yet consumers were only required to click an “Allow All” button to opt in. This is not the first time that the CPPA has emphasized its concerns of using “dark patterns” to undermine consumers’ choice when exercising privacy rights. For example, in its September 2024 enforcement advisory, the CPPA stressed that companies must offer user interfaces with both symmetrical choice and clear language to consumers.
- Failure to Implement Contractual Safeguards. The CCPA requires businesses to execute contracts with specific terms and safeguards with both service providers and contractors, as well as with third parties to whom personal information is sold or shared for cross-context behavioral advertising. The CPPA alleged that Honda failed to produce contracts with ad tech companies to which it discloses personal information collected from consumers on its website. Despite this allegation, it is unclear from the order that Honda’s contracts definitively lacked the required contractual provisions.
Order Requirements
The order contains notable monetary and injunctive provisions, including:
- Administrative Fine: Honda must pay an administrative fine totaling $632,500. Notably, and unlike the approach taken by most regulators, the CPPA transparently came to this amount by identifying in the complaint roughly 150 consumers affected by Honda’s conduct and detailing its steps for calculating penalties at $382,500 plus a lump sum of $250,000.
- Modification to Manner of Submitting Requests to Opt Out and Limit: The order requires Honda to implement several changes to the way in which consumers submit their opt-out and limitation requests, including: 1) not requiring consumers to directly confirm with Honda that they have given their agent permission to submit a request to opt out or limit on their behalf; 2) creating separate methods for submitting requests to opt out and limit; 3) requiring authorized agents to provide the contact information of both themselves and consumers; 4) including the link to manage cookie preferences in its Privacy Center, privacy policy, and footer of the privacy policy; 5) providing a “Reject All” and “Allow All” button in its third-party cookie management tool to ensure symmetrical consumer choice; and 6) processing opt-out requests via the Global Privacy Control.
- Recommendations from UX Designer: Honda must consult with a UX designer (internal or external) to review the methods of submitting rights requests, conduct testing to assess the ease of such methods of submission, and recommend the ways in which they can be made clear and easy to understand by a consumer.
- Contract Management Improvements and Review: Though it is unclear from the order that Honda’s contracts lacked the CCPA-required contractual provisions, Honda must nonetheless review its contract management system to ensure that contracts with external recipients of personal information contain required terms. Honda must then notify the CPPA that all existing contracts contain the CCPA-required provisions.
- Public Disclosures: Finally, for five years on an annual basis, Honda must compile and post on their website metrics concerning the number of rights requests that were received, complied with in whole or in part, and denied pursuant to § 7102 of the CCPA Regulations. Under § 7102, businesses that buy, sell, share, or otherwise make available for commercial purposes the personal information of 10 million or more consumers in a given calendar year are already required to make such disclosures.
Key Takeaways
The CPPA’s settlement with Honda highlights several compliance pitfalls that, while arising from obligations that have been in effect for some time, remain key areas of risk under the CCPA. This enforcement action serves as a timely reminder for businesses to reassess their CCPA compliance practices to ensure they withstand regulatory scrutiny.
For example, businesses should evaluate their consumer request handling processes—including those implemented through widely-adopted third-party privacy platforms—and ensure they are properly configured for CCPA compliance. As the Honda settlement illustrates, these mechanisms must provide consumers with symmetrical choice pathways and be designed to apply verification requirements only where necessary, preventing the unnecessary collection of personal information. In addition to ensuring that contracts with third parties contain CCPA-required language, businesses should implement contract management processes to ensure the retention of contracts with third parties, including click-through terms of use.
The CPPA’s focus on personal information sales and related rights to opt out and limit is also notable in light of the motivating concerns of the connected vehicle enforcement sweep; namely, the collection of consumers’ locations, personal preferences, and details of daily life through connected vehicle technologies. Despite the centrality of such issues and technologies to the enforcement sweep, they were not mentioned in the CPPA’s allegations against Honda.
The CPPA’s recently announced enforcement actions, investigative sweeps, and rulemaking efforts1 reaffirm its role as a leading force shaping U.S. privacy obligations. As the CPPA and other state regulators intensify their efforts to fill gaps left by shifting federal enforcement priorities, previously discussed here, businesses should anticipate heightened scrutiny and evolving compliance expectations regarding consumer privacy and security.
[1]The Wilson Sonsini Data Advisor regularly issues alerts on CCPA enforcement and rulemaking developments. Our most recent alerts on these issues include: the CPPA's proposed Delete Request and Opt-Out Platform (DROP) regulations; the rulemaking on cybersecurity audits, automated decision-making technology, and privacy risk assessments; and the recent CCPA enforcement action against a video game app developer.
