Buckle Up: Honda Settlement for CCPA Violations Should Be a Warning to All Businesses
March 14, 2025
By: Amber L. Lawyer, Shannon A. Knapp, Ariyana DeWitz
On March 12, 2025, the California Privacy Protection Agency (the Agency) announced a settlement with American Honda Motor Company, Inc. (Honda) for multiple violations of the California Consumer Privacy Act (CCPA), California’s comprehensive consumer privacy law. Honda agreed to settle claims for $632,500 relating to 153 consumer request violations. The Agency determined that Honda violated the California law by requiring too much information from consumers and authorized agents to opt-out of the sale of data or to limit the use of sensitive personal information, failing to provide a symmetrical choice with its cookie management tool, and failing to provide required contractual protections with its vendors.
1. Honda Required Excessive Information from Consumers/Authorized Agents to Exercise Certain Privacy Rights
The Agency determined that Honda unlawfully required consumers to disclose more information than necessary when exercising certain consumer rights and improperly denied consumers requests for failure to verify the consumers’ identities. The CCPA distinguishes between consumer requests that require verification and those that do not. Organizations may not require verification information for consumer requests to opt-out of sale or sharing of information or request to limit the use of sensitive personal information. Here, the Agency determined that Honda only needed two data points to identify the consumer within its database and requiring addition information interfered with consumers’ ability to exercise their opt-out rights. The Agency also determined that Honda required excessive information for authorized agents to submit opt-out requests on a consumer’s behalf.
2. Honda Failed to Provide a Symmetrical Choice with Its Cookie Management Tool
The CCPA requires organizations to design and implement user-friendly methods for submitting CCPA requests and consent mechanisms that are easy to understand and provide symmetry in choice. The Agency issued a strict reading of CCPA determining that Honda’s consent tool allowed for asymmetry by requiring two clicks to disallow advertising cookies on their platform and while only one click to “Accept All” advertising cookies. Interestingly, Honda was leveraging a third-party tool, OneTrust, to provide its consent management interface.
3. Honda Failed to Provide Contracts with Specific Rules for Collecting and Disclosing Personal Information to Vendors
Pursuant to CCPA, organizations that share consumer personal information with third-parties, service providers, or contractors are required to enter into certain contract provisions with vendors to protect consumer information. Honda failed to produce contracts with its advertising technology vendors, leading the Agency to determine that Honda failed to implement appropriate safeguards to protect consumer information.
Key Takeaway: Your CCPA Compliance Procedures are Due for a Tune-Up
All entities subject to CCPA should heed the warnings brought from this settlement decision. California’s privacy enforcement agency is targeting all types of organizations, not just major technology companies, with thousands of consumer requests. Businesses should audit their online request mechanisms and consent mechanisms, even if developed by third-party providers, to ensure strict adherence with CCPA symmetry and ease-of-use requirements. Your internal procedures should include relevant vendor contract review and negotiation. It is also a good time to audit your data collection and evaluate your business’s purposes for processing personal information.
Bond’s cybersecurity and data privacy team routinely assists organizations navigating CCPA compliance. For more information or guidance concerning any of the topics above, please contact Amber Lawyer, CIPP/US & CIPP/E, Shannon Knapp, CIPP/US & CIPP/A, Ariyana DeWitz, or any Bond attorneys in the cybersecurity and data privacy practice.