The California Privacy Protection Agency (CPPA) recently announced a settlement with American Honda Motor Co., Inc. (Honda) over alleged privacy violations. The settlement arises from the CPPA's investigation into the privacy practices of connected vehicle manufacturers, which began in July 2023. As a result of the settlement, Honda will pay a civil monetary penalty of $632,500. The settlement alleged three areas where Honda's practices were non-compliant with the California Consumer Privacy Act (CCPA). In this alert, we identify what businesses can learn from the settlement.
Key Issues Identified by the CPPA
According to the settlement, Honda's privacy practices violated the CCPA in three primary ways.
- Honda required consumers to provide excessive information and to verify their identities when making requests to opt-out of the sale or sharing of personal information. Businesses must verify a consumer's identity for certain consumer requests under the CCPA (such as requests to delete personal information). The CCPA, however, prohibits businesses from requiring a consumer to verify their identity to opt out of the sale or sharing of personal information or to limit the use of sensitive personal information. According to the settlement, Honda required consumers who submitted opt-out requests to provide the same information that Honda required to submit other consumer requests, including name, address, email, phone number, and VIN. According to the CPPA, this was more information than Honda needed to comply with the opt-out request and essentially required consumers to verify their identity to submit an opt-out request. Additionally, for opt-out requests submitted by authorized agents, Honda also required consumers to confirm that they had authorized the agent to act on their behalf. The CCPA's prohibition on requiring verification for opt-out requests and requests to limit applies equally to requests submitted by a consumer's authorized agent.
- Honda provided asymmetrical choices to consumers for opting in and opting out of the sale or sharing of personal information through cookies. The CCPA requires businesses to implement methods for submitting opt-out and other requests that are symmetrical in consumer choice, meaning it is as easy to opt-out as it is to opt-in. Honda's cookie management platform allowed non-essential cookies by default and required a two-step process for opting out of advertising cookies—consumers were required to toggle individual categories of cookies and then click a button to "confirm" those choices. Meanwhile, opting back into those cookies required only a single click of a button to "Allow All" cookies.
- Honda shared consumers' personal information collected through its website with advertising technology companies without having appropriate contracts in place. The CCPA requires businesses to enter into agreements with its service providers, contractors and third parties with whom the business sells or shares personal information. Those agreements must, among other requirements, require the third-party service provider to limit their use of the personal information to specific, identified purposes and comply with the CCPA. Honda failed to produce contracts meeting those requirements with the third-party advertising technology companies.
Settlement Requirements
Along with the monetary penalty, Honda must implement new procedures to ensure compliance with the CCPA. These procedures include implementing a simpler process for consumers to exercise their privacy rights, minimizing data collection for verification purposes, modifying its contract management and tracking processes, training employees on CCPA requirements, and consulting a user experience designer to evaluate its methods for submitting privacy requests.
Key Takeaways
The CPPA's enforcement action against Honda underscores the importance of adhering to CCPA requirements. To mitigate the risk of similar penalties, businesses should do the following:
- Minimize information required for opt-out requests. Businesses should ensure their processes for submitting consumer personal information requests ask for only the minimum information needed to comply with the request. Businesses should only require the consumer to verify his or her identity when necessary and permitted by law.
- Ensure consumer choices are symmetrical. Businesses should evaluate how consumers choose to opt in and opt out of the use of personal information by the business, especially regarding the use of cookies. Opting out should require no more actions than opting in.
- Review contracts with third-party vendors. Businesses should review contracts with service providers and other recipients of personal information to confirm that they include required provisions and obligate those third parties to comply with the law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
