In March 2025, the California Privacy Protection Agency (CPPA) issued its enforcement decision under the California Consumer Privacy Act (CCPA) against American Honda Motor Co., Inc. The order followed an investigation that identified four major areas where Honda’s practices failed to comply with the CCPA and cost more than $600,000.
This case study outlines the four key violations, based solely on the findings in the decision.
Over-Verification for Non-Verifiable Requests
What Happened
Honda’s online Privacy Center used a single webform for all types of CCPA consumer requests. This form applied uniform data entry requirements regardless of the type of request, whether the request required identity verification (such as a Request to Delete or Request to Know) or not (such as a Request to Opt-Out of Sale/Sharing or Request to Limit the use of sensitive personal information). Consumers were required to enter at least eight fields: name, full mailing address, email, and phone number. These fields were mandatory, and the request could not be submitted unless all were filled.
Source
Legal Issue
Under the CCPA, Requests to Opt-Out of Sale/Sharing and Requests to Limit are not subject to verification requirements, due to their lower risk profile. CCPA specifies that businesses may not require consumers to verify their identity for these requests and must not create undue burdens that could impair or subvert consumers’ ability to exercise their rights (Cal. Civ. Code § 1798.135(c)(1); Cal. Code Regs. tit. 11, §§ 7026(d), 7027(e), 7004).
Honda’s implementation failed to distinguish between request types and effectively imposed verification where it was not legally allowed.
Impact
- At least 119 consumers were asked to provide unnecessary data for non-verifiable requests.
- 20 requests were outright denied because consumers did not complete the overburdensome verification process.
- Honda’s approach was found to interfere with consumer choice, a direct violation of Cal. Code Regs. § 7004.
Barriers to Agent-Submitted Requests
What Happened
The CCPA allows authorised agents to submit requests on behalf of consumers. Honda’s webform had a checkbox for agents, but after submission, the process required the consumer to personally confirm that the agent was authorised, even for non-verifiable requests, such as opt-outs and limitations.
Legal Issue
According to Cal. Code Regs. tit. 11, § 7063, while businesses may request that the agent provide proof of authorisation, they may not require direct confirmation from the consumer unless the request is verifiable. Requiring a consumer to confirm an agent’s submission for a non-verifiable request is expressly prohibited.
Honda’s system did not differentiate between types of requests made by agents, and treated all as if they required direct consumer confirmation. This placed unlawful procedural barriers in the way of consumers exercising their rights through authorised representatives.
Asymmetry in the Cookie Management Interface
What Happened
Honda’s websites (both Honda and Acura brand domains) used a third-party cookie management platform to facilitate user privacy choices. However, the user interface presented consumers with an easier path to accept tracking cookies than to reject them:
- To accept all cookies, consumers only needed to click a single “Allow All” button.
- To opt-out (e.g., reject advertising cookies), consumers had to disable the chosen settings and then click “Confirm My Choices”, adding extra steps.
Moreover, when users returned to the settings, the banner prioritised the “Allow All” option, making consent more prominent and easier to execute than withdrawal.
Legal Issue
Cal. Code Regs. § 7004(a)(2)require businesses to provide symmetry in choice. Privacy-protective choices (like opting out of sharing) must not be harder to access or execute than less protective choices (like consenting to advertising). Additionally, businesses must avoid confusing or coercive interface designs.
The CPPA found that Honda’s cookie interface violated these requirements by creating an asymmetrical user experience, impairing the ability of consumers to exercise their opt-out rights freely and easily.
Impact
- Consumers faced a difficult opt-out process, while opt-in occurred with a single click.
- Honda’s design undermined the fairness and clarity mandated by CCPA.
Absence of Required Contracts with Ad Tech Vendors
What Happened
Honda shared or disclosed personal information with advertising technology vendors for cross-context behavioural advertising. However, during the CPPA’s investigation, Honda could not produce contracts with those vendors that met CCPA requirements.
Legal Issue
The CCPA requires that when a business discloses personal information to a third party for processing, it must have a written contract that:
- clearly defines the permitted purposes for data use.
- prohibits unauthorised retention, use, or disclosure.
- requires the third party to provide the same level of privacy protection as the business.
(See Civ. Code § 1798.100(d); Cal. Code Regs. §§ 7051–7053.)
Failure to implement these contractual safeguards means that disclosures may be treated as sales or unauthorised sharing, exposing consumers to unregulated data uses.
Impact
- Honda’s failure to formalise these relationships left consumer data unprotected and potentially subject to use beyond what the CCPA allows.
- The CPPA concluded that this omission increased the risk of unlawful downstream processing of consumer personal information.
Conclusion
This case against Honda is a useful reminder that compliance isn’t just about having the right policies on paper - it’s about how things work in practice. The CPPA looked closely at how Honda’s systems, forms, and interfaces actually functioned for real users. And where they created confusion or unnecessary barriers, it counted as non-compliance.
- Request forms need to match the legal categories. Don’t treat all requests the same, especially when some don’t require verification.
- Authorised agents should be able to act without the consumer jumping through extra hoops.
- UX design isn’t neutral. When one option is easier than another, it matters. Opt-out shouldn’t be harder than opt-in.
- Data sharing requires contracts. If you’re sending data to ad tech vendors, the paperwork needs to be in place.
Please find the decision here.
