Honda Fined for CCPA Violations

The California Privacy Protection Agency (CPPA) announced it fined Honda for CCPA violations. The $632,500 penalty was handed down after an investigation concluded the automaker violated Californians’ privacy rights in the following ways.

Requiring Excessive Personal Information to Exercise Privacy Rights

Honda’s online privacy center (pictured below) included a listing of privacy choices and links to various request forms, including an option for submitting a privacy request, a request to correct, and a request to appeal a denial.

Honda’s “Submit a Privacy Request” link took consumers to a “Consumer Privacy Rights Request Form” form that required the same information for five different requests:

1. Do Not Sell or Share My Personal Information
2. Limit Use of My Sensitive Personal Information
3. Opt-Out of Automated Decision Making and Profiling
4. Personal Information Disclosure
5. Delete My Personal Information.

As shown in the webform below, Honda required consumers to provide their first name, last name, address, city, state, zip code, preferred method to receive updates, email, and phone number to submit the request.

The issue arises from Honda verifying the consumer’s request and identity when an opt-out of sale/sharing is made. Exercising this right does not obligate consumers to verify their identity.

A Longer Opt-out Process Than Opting-in

The CCPA requires symmetry in choice, meaning the path to exercise a preference cannot be longer or more difficult than the path to a less privacy-protective preference. Essentially, a consumer on your website should be able to opt out in the same number of clicks as it takes to opt in.

The cookie management tool on Honda’s website gave consumers the ability to opt out of advertising and other technology that tracks website activity for cross-context behavioral advertising purposes. As seen in the images, the cookies identified in the cookie management tool are “allowed” or “active” by default.

To turn off the Advertising Cookies, consumers had to complete two tasks, toggling the button off and clicking the “Confirm My Choices” button.

Consumers could opt back into Advertising Cookies in one step by clicking the “Allow All” button. This resulted in a choice that was not symmetrical.

Barriers for Consumers Using Authorized Agents to Act on Their Behalf

The CCPA gives consumers the right to have Authorized Agents act on their behalf when asserting their rights. Honda’s webform for submitting a privacy request contained a checkbox for Authorized Agents submitting on behalf of a consumer.

When this box was checked, Honda sent correspondence asking if the preferred method of communication was email or U.S. Mail. Both choices reflect the consumer’s email address or U.S. Mail address. This is a violation because the CCPA does not have verification requirements for opt-out requests when the request is submitted by an Authorized Agent.

Unable to Produce Contracts with Advertising Technology Vendors

Honda sells, shares, or discloses personal information about consumers collected on its websites to advertising technology companies. The advertising companies use the data to track consumers across different websites for advertising and marketing purposes.

The CCPA requires businesses that collect and disclose personal information to a third party to include specific provisions for consumer protection in a contract with the third party. Honda could not produce contracts with the advertising technology companies it works with.

Read the CPPA’s complete Order of Decision.

Takeaways from the Honda CCPA Fine

This CCPA enforcement against Honda is the latest in a series of events emphasizing the importance of website privacy and consent functionality. There have been multiple lawsuits stemming from the use of Meta Pixel. In 2024, the CCPA issued an enforcement advisory for dark patterns, which are user interfaces that subvert or impair consumers’ autonomy, decision-making, or choice when asserting their privacy rights or providing consent. Also in 2024, the New York AG published a privacy controls guidance website to help businesses understand how to meet privacy requirements under the state’s consumer protection laws.

Businesses must assess their website’s privacy and consent tools to determine if they are functioning in a manner compliant with all applicable privacy and consumer protection laws. It’s also important that the information provided to your website visitors on cookie pop-ups, privacy notices, privacy control configurations, etc. is accurate. For your privacy statements to remain accurate, you must determine if your privacy controls are working correctly and as described.

Watch the podcast below to learn more about best practices for website privacy functions and controls. A transcript of the episode is also available.

CompliancePoint offers Cookie Management Services to help businesses with privacy and consent functionality. We can also help with all aspects of CCPA compliance. Reach out to us at connect@compliancepoint.com to learn more.