Honda CCPA Settlement: Key Takeaways for Privacy Professionals

As predicted at the start of 2025, enforcement agencies in the United States are picking up the pace of privacy investigations and enforcement actions related to comprehensive state privacy laws. A recent investigation by the California Privacy Protection Agency (CPPA) claimed that Honda Motor Co. violated consumer privacy rights as required by the California Consumer Privacy Act (CCPA). Digging deeper into the findings and decisions provides helpful guidance and insight to inform all organizations as they work on maturing their privacy programs and ensuring that consumers’ privacy rights and expectations are protected.

What Happened?

On March 12, 2025, the California Privacy Protection Agency (CPPA) Board issued a decision requiring Honda Motor Co. to pay a $632,500 fine and change business practices to resolve claims of violations of the California Consumer Privacy Act (CCPA). The claims arose from an investigation by the CPPA’s Enforcement Division and allege that Honda violated Californians’ privacy rights. 

What Were the Alleged Violations?

According to the CPPA’s announcement about the settlement:

The CPPA’s Enforcement Division alleged that Honda violated Californians’ privacy rights by:

• Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt out of sale or sharing and the right to limit;
• Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
• Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and
• Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

Let’s unpack each of these allegations and the factual findings from the Order of Decision to surface key takeaways from each.

What Can We Learn?

Allegation #1: Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt out of sale or sharing and the right to limit

Factual Findings

Honda used an Online Preference Center to facilitate the submission of consumer privacy requests for five different requests:

1. Do not sell or share my personal information
2. Limit use of my sensitive personal information
3. Opt out of automated decision making and profiling
4. Personal information disclosure
5. Delete my personal information

As a part of the webform submission process for each of these requests, Honda required consumers to provide their first name, last name, address, city, state, zip code, preferred method to receive updates, e-mail, and phone number in order to submit a request. 

While the information required could be argued to be necessary for verifiable consumer requests, it is stipulated that the CCPA prohibits businesses from requiring consumers to verify themselves before processing requests to opt-out of sale/sharing and requests to limit. For these requests, at most, a business may ask consumers for information necessary to complete the request, such as information necessary to identify the consumer within their systems. Businesses may not ask for more information than is necessary to process the request (Civ. Code § 1798.135(c)(1); Cal. Code Regs. tit. 11, §§ 7026(d), 7027(e)). 

Key Takeaways

1. Opt-out of sale/sharing and requests to limit the use and disclosure of sensitive personal information are not Verifiable Consumer Requests. To effectuate these requests, you may not ask for more information than is necessary to process the request. In the case of online data collection, this often will only require a device ID. 
2. Processes for submitting opt-out of sale/sharing and requests to limit should be distinguished from processes for Verifiable Consumer Requests to allow for differences in the information required to process them.

Allegation #2: Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way

Factual Findings

Honda used the Consent Management Platform (CMP) OneTrust to manage the user consent experience to opt out of sale/sharing. In using the default cookie experience, Honda’s categorization of platforms as “Advertising Cookies” allowed them to effectuate consumers’ opt-out requests for sale/sharing. For a consumer to opt out, they needed to deselect “Advertising Cookies” and then confirm their choice. However, in order to opt back into “Advertising Cookies”, the user only needed to make one selection (“Allow All”). This violated the required principle of “symmetry of choice” in the consent selection, as it took more actions to opt-in to the sale/share behavior than it did to opt-out. 

The CPPA’s order goes on to detail that a website banner that provides two top-level choices for a consumer to “Accept All” and “More Information” or “Accept All” and “Preferences” is also not equal or symmetrical. This is because it only takes one action to “Accept” but requires multiple actions to opt out (select “More Information”/”Preferences” -> make opt out selection -> save selection). 

Key Takeaways

1. The user consent experience should not require more actions from a user to opt out of a personal information processing/cookie usage purpose than it takes for a user to opt-in, consent, or acknowledge. 
2. A Consent Management Platform is only a tool (albeit a helpful one that we recommend). Compliance requires the proper configuration of any tools in use to respect the privacy rights and expectations of consumers.

Allegation #3: Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights

Factual Findings

The CCPA allows consumers to authorize other natural persons or business entities, known as Authorized Agents, to act on their behalf in asserting their rights (Cal. Code Regs. tit. 11, § 7063). While Honda allowed Authorized Agents to submit requests on behalf of consumers, they required the Authorized Agent to provide a preferred communication method for the consumer on whose behalf they were submitting the request in order to provide verification. Since the CCPA prohibits requiring verification for requests to opt-out and requests to limit, businesses may not require the consumer to directly confirm that they have provided the Authorized Agent permission to submit these types of requests. 

Key Takeaways

1. While it is permissible to ask an Authorized Agent to demonstrate they have been authorized to act on a consumer’s behalf, do not require additional direct consumer verification for a request to opt-out or request to limit when the request is submitted by an Authorized Agent. 

Allegation #4: Sharing consumers’ personal information with adtech companies without producing contracts that contain the necessary terms to protect privacy

Factual Findings

Honda collected personal information about consumers on its website and then sold, shared, or disclosed that information to advertising technology companies. Those advertising technology companies then used the personal information to track consumers across different websites for advertising and marketing purposes. The CCPA requires businesses that collect and disclose personal information to third parties, service providers, or contractors to enter into agreements with the third party, service provider, or contractor to meet certain privacy requirements to protect the privacy rights of consumers (Civ. Code § 1798.100(d); Cal. Code Regs. tit. 11, §§ 7051, 7053). It was found that Honda could not produce the required contracts with the advertising technology companies to which personal information was disclosed. 

Key Takeaways

1. Ensure that you understand all platforms with which you are disclosing personal information. In the case of data collection on websites, this means you need a full documented tag inventory to understand all the advertising technology vendors loading and collecting information about your consumers. 
2. Once all technology platforms have been inventoried, ensure that proper contracts are in place (usually in the form of a Data Processing Agreement) with appropriate provisions to protect the privacy rights of consumers.

What Can You Do?

As evidenced by this investigation, designing, implementing, and maintaining a compliant architecture to manage consumer privacy requests is difficult. It can be helpful to break down the requirements and build an effective process from there. 

1. Understand all businesses with whom personal information is shared. In the case of a website, this means doing a tag audit to create an inventory of all unique platforms that are loading and collecting information. It is not enough to rely solely on internal questionnaires to stakeholders. Especially with platforms in use for advertising and marketing, the amount of opaque data sharing resulting from the use of third-party technologies can be staggering. 
2. Once all platforms in use have been inventoried, go through and document the nature of data being collected and shared along with the processing purposes for each. 
3. Again, based upon the platform inventory, ensure that proper contracts are in place with each vendor and that consumer privacy rights are contractually protected. 
4. Define a Tag/Cookie Consent Policy to reflect documented standards and understanding of platforms and processing activities in place. The live website environment should be regularly audited to ensure that only authorized data collection and disclosure is occurring. 
5. Design the consumer consent and privacy preferences experience to ensure they are easy to understand, provide symmetry in choice, avoid language or interactive elements that are confusing to the consumer, avoid choice architecture that impairs or interferes with the consumer’s ability to make a choice, and are easy to execute. 
6. Differentiate the consumer request processes for Verifiable Consumer Requests and requests that do not require consumer verification (requests to opt out of sale/share and requests to limit). Ensure that requests not requiring consumer verification only require the information necessary to process the request.