On March 7, 2025, the California Privacy Protection Agency (Agency) reached a settlement with American Honda Motor Co. (Honda) resolving allegations that the company violated the California Consumer Privacy Act (CCPA). The order required Honda to pay a $632,500 fine and implement changes to its data privacy practices.
The Agency alleged that Honda improperly required consumers to verify their identity or the authorization of an agent on their behalf in order to submit opt-out requests. While the CCPA allows businesses to verify the identity of consumers or the authorization of agents for exercising other rights, such as access or deletion, it does not permit verification in opt-out requests. Moreover, the Agency alleged that Honda’s cookie management tool made it more difficult for consumers to opt out of tracking than to opt in. Given the latest wave of class action litigation and claims around cookies and pixels, businesses should pay close attention to the Agency’s analysis of Honda’s consent modal.
This was the Agency’s first enforcement action under the CCPA. So far, the law has been enforced only by the California Attorney General. The order stems from an ongoing investigation by the Agency, which is the first government agency dedicated to privacy enforcement in the U.S., into data privacy practices in the connected car industry, signaling increased regulatory scrutiny for automakers and other technology-driven businesses. It comes on the heels of a privacy enforcement action by the Texas Attorney General against General Motors.
Key Takeaways
- The settlement highlights the importance of ensuring that consumer-facing privacy interfaces comply with regulatory requirements and provide a user-friendly experience. Website forms that collect personal information, opt-out mechanisms, and consent management tools must be clear, accessible, and designed to facilitate—rather than hinder—consumer rights requests. Regulators actively monitor these interfaces through audits, automated compliance tools, and consumer complaints, making public-facing compliance a critical area of focus.
- Companies, particularly those handling large volumes of consumer data or using ad tech tools, should regularly evaluate and refine their privacy touchpoints to ensure they align with CCPA requirements and prioritize ease of use for consumers. In particular, businesses should:
- Ensure consumer data request workflows collect only necessary information and apply identity verification only where necessary and permitted.
- Review consent management tools (e.g., cookie banners) for fairness and symmetry—ensuring consumers can opt out as easily as they can opt
- Verify that contracts with all third-party data recipients contain CCPA-required terms and can be produced on demand.
- Regularly train relevant staff on CCPA compliance.
Below, we summarize the key findings of the Agency’s order.
Findings and Violations
The Agency alleged four violations of the CCPA:
- Excessive Information Requests for Data Subject Rights.
The Agency alleged that Honda required consumers to provide more information than necessary when exercising their privacy rights.
Under the CCPA:
- Requests to access, delete, or correct personal information require identity verification (verifiable consumer requests).
- Requests to opt out of the sale or sharing of personal data or limit the use of sensitive personal information do not require verification.
However, Honda applied the same verification process to all requests, requiring consumers to fill eight separate data fields (including full name, address, email, and phone number) in its online form. The Agency argued that this practice created an unnecessary barrier for consumers attempting to opt out or limit the use of their data.
The Agency also noted that Honda typically needs only two data points to identify a consumer in its database. Hence, Honda’s verification process demanded more information than necessary even for requests that did require identity verification.
The focus on data minimization in this enforcement action aligns with the Agency’s enforcement advisory on data minimization issued in April 2024, which emphasized that businesses should only collect the minimum data necessary to process consumer requests and should not impose unnecessary burdens that could deter consumers from exercising their rights.
- Improper Authorized Agent Verification.
Under the CCPA, consumers can designate an authorized agent to request an opt-out of sale/sharing or to limit the use and disclosure of sensitive personal information on their behalf.
While businesses may require proof of authorization (such as a signed permission document) for an agent’s submission of these requests, they may not require the consumer to directly confirm the authorization with the business. Direct confirmation is only permitted for access, correction, or deletion requests, not for opt-out or requests to limit.
The Agency alleged that Honda failed to distinguish between these types of requests and unlawfully required consumers to personally confirm that they had authorized an agent to submit opt-out requests or requests to limit on their behalf. This added an unnecessary step, making it harder for consumers to exercise their rights.
- Asymmetry in Opt-In and Opt-Out Choices.
Honda provides consumers the ability to submit requests to opt out of sale/sharing for cross-context behavioral advertising through a third-party cookie management tool.
The Agency alleged that Honda’s privacy settings in its cookie management tool made it harder to opt out of data sharing than to opt in. In Honda’s cookie management tool, a consumer had to take two steps to opt out of the sale or sharing of personal information (e.g., toggling off a setting and clicking “Confirm My Choices”) whereas opting back in required just a single click (via an “Accept All” button). The Agency found that this discrepancy violated the CCPA’s requirement for symmetry in choice, which mandates that privacy-protective options be as easy to exercise as less protective ones. According to the Agency, Honda should have provided a “Reject All” option alongside “Accept All” to ensure an equal or symmetrical choice.
- Failure to Establish Contracts with Ad Tech Partners.
The Agency found that Honda shared consumers’ personal information with advertising technology vendors without the required contractual safeguards. The CCPA requires businesses to execute contracts with third-party data recipients that restrict use of personal data to specified purposes and require compliance with the CCPA. Honda was unable to produce contracts that included the mandatory CCPA provisions for its ad tech vendors.
Fine and Corrective Actions
Honda was ordered to pay a $632,500 administrative fine, with $382,500 specifically tied to 153 consumers whose rights were affected by the company’s practices. Under the CCPA, the Agency can impose fines of up to $2,500 per violation—or $7,500 per intentional violation—with adjustments for inflation. This case highlights that fines are calculated on a per-violation basis, meaning even routine compliance missteps can quickly escalate into substantial penalties when they impact multiple consumers.
In addition to the fine, the company must implement a series of remediation steps, including:
- Establishing separate methods for submitting verifiable requests (requests to access, correct, or delete data, which require identity verification) versus non-verifiable requests (requests to opt out of sale/sharing and limit the use and disclosure of sensitive personal information).
- Changing its authorized agent process so that agents can submit opt-out or limit requests without requiring direct consumer confirmation.
- Within its cookie management platform, including a “Reject All” button to provide symmetry in choice with the “Allow All” button.
- Engaging a UX designer to assess Honda’s methods for submitting CCPA requests and recommend improvements.
- Providing updated training to all personnel who handle CCPA requests.
- Ensuring contracts with all third-party data recipients contain CCPA-compliant terms.
Takeaway for Businesses
The Agency is ramping up enforcement of consumer data rights and data minimization practices. Even standard compliance efforts can draw penalties if they are implemented in a way that frustrates consumer choice. The Honda case serves as a clear warning that regulators will not tolerate unnecessary hurdles—whether excessive form fields, multi-step opt-outs, or improper verification requirements.
The post California Privacy Agency Signals Stronger CCPA Enforcement in Settlement with Honda appeared first on Data, Privacy & Cybersecurity Insights.