A major vehicle automaker will have to change its business practices and pay a hefty fine to resolve claims that the company violated the California Consumer Privacy Act (CCPA), according to the state regulatory authority created by the act. American Honda Motor Co. agreed to pay $632,500 to resolve various allegations lodged by the California Privacy Protection Agency (CPPA) that Honda’s process for consumers exercising their privacy rights through their website required excessive personal information, failed to offer symmetrical choice structures for opting in versus opting out, and made it difficult to authorize an agent to act on behalf of the consumer. That was in addition to Honda’s sharing of consumer personal information with third parties without contracts that contained the statutorily required language.
The CPPA alleged that Honda’s consumer privacy rights tool placed an unreasonable burden on Californians where it required consumers exercising their privacy rights to submit an "excessive" amount of personal information to submit requests. Specifically, Honda required the same eight personal information data points from the consumer for five different types of consumer requests. The CCPA prohibits requiring verification for requests to opt out of sale/sharing and requests to limit the sharing of sensitive personal information, according to CPPA’s final order against Honda. With respect to authorized agents, the CPPA made clear that for consumer requests that do not require verification, a business may not require the consumer to confirm that they authorized the agent on their behalf to submit the opt-out of sale/sharing or request to limit the use of sensitive personal information.
Additionally, the CPPA claimed the automaker violated certain privacy rights by structuring their cookie consent tool in a way that "failed to offer Californians their privacy choices in a symmetrical or equal way." Last year, the CPPA issued an enforcement advisory emphasizing the importance of choice symmetry and avoiding dark pattern use — practices that have the effect of deceiving consumers when exercising their privacy choices. Concerning Honda, the CPPA alleged that consumers were required to perform two clicks to opt out of cookies while opting into cookies required only a single click. Again, the CPPA is signaling to the market that, "Symmetry in choice means that the path for a Consumer to exercise a more privacy-protection option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the Consumer’s ability to make a choice."
Last, the CPPA alleged that Honda’s website shared, sold, or disclosed consumer personal information with advertising companies through cookies. Honda failed to produce contracts with these advertising companies that contained the contractual clauses statutorily required by the CCPA. The first public enforcement actions by both the California attorney general and the CPPA involved businesses that failed to produce contracts with its advertising technology providers containing the CCPA-required language. The CPPA and the state attorney general split enforcement powers in California. In other states, the attorney general is typically tasked with sole enforcement responsibilities. Therefore, the focus on compliant contracts appears to be a signal from regulators rather than noise in the data.
For businesses subject to CCPA, this settlement serves as a critical reminder of the importance of facilitating a streamlined consumer rights request process that only requires the information reasonably necessary to comply with the consumer’s request. Moreover, the obligation to provide choice symmetry is not shifted to the vendor when utilizing popular cookie consent tools, especially where default settings do not satisfy the business’s legal requirements. Businesses must also ensure their vendor contracts contain the required contract clauses as state regulators across the country ramp up enforcement of their data privacy laws. While not at issue in this action, businesses should also regularly check their consent management and consumer rights request tools to ensure they are functioning properly, given broken tools or a non-working phone number is an easy way to catch the attention of regulators.
For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alert and insights.