'Significant' Honda Privacy Settlement Shows CPPA Enforcement Heating Up

The California agency’s Enforcement Bureau found that American Honda Motor Co. violated the CCPA by (1) requiring Californians to verify themselves and give "excessive personal information" to exercise their privacy rights to opt out and to limit use and disclosure of their sensitive personal information; (2) using an online cookie management tool that failed to offer consumers privacy choices in a symmetrical or equal way; (3) making it hard for consumers to select authorized agents to exercise privacy rights on their behalf; and (4) sharing consumers’ personal information with ad tech companies without producing contracts with necessary privacy terms.

Honda also agreed to simplify the process for Californians to assert their privacy rights, the CPPA said. Additionally, Honda must certify its compliance, train its employees and consult a user-experience designer to evaluate its methods for submitting privacy requests; change its contracting process to ensure appropriate mechanisms are in place to protect personal information; and support the Global Privacy Control, a browser-based universal opt-out mechanism.

American Honda takes its "responsibility to protect consumer privacy seriously and [is] committed to continually striving to ensure that our practices meet the highest standards,” a spokesperson said in an emailed statement. “We have cooperated fully with the CPPA throughout their investigation and have already begun implementing the changes to our processes required by the order. These changes include modifications to our methods for submitting consumer privacy requests, enhancing our cookie management tools, and updating our contract management processes.”

Said Michael Macko, head of the CPPA's Enforcement Division, “We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations." The agreement "reflects Honda’s early cooperation and commitment to make things right,” Macko added.

“It’s a significant enforcement action” that covers a variety of alleged violations of the CCPA, said Aaron Burstein, a Kelley Drye privacy lawyer for businesses, in an interview. “It points to the agency having resources and expertise to bring these kinds of cases and there’s no sign of them slowing down.”

The CPPA Enforcement Bureau started investigating Honda on July 31, 2023, as part of a sweep of connected car manufacturers' data privacy practices. "Honda produced documents, answered the Agency’s questions, and made available a corporate representative to meet with the Agency,” the CPPA order said.

Some consumer privacy requests require businesses to verify a consumer is who they say they are, while others do not, but Honda failed to make that distinction in a webform for submitting requests, the CPPA said. Honda required consumers to provide their first name, last name, address, city, state, ZIP code, preferred method to receive updates, email and phone number to submit any kind of privacy request, according to the CPPA order. Optionally, consumers could provide the brand of the product they own and the vehicle identification number or serial number of their product.

"By requiring all of this information, Honda’s webform unlawfully requires Consumers to provide more information than necessary to exercise their CCPA rights to opt-out of sale/sharing of their personal information and to limit the use and disclosure of their sensitive personal information," the order said. "Honda essentially applies a verification standard to these rights." The CPPA added that Honda needs only two data points from a consumer to identify the person in its database.

Under CCPA, requests to delete, correct and know collected personal data require verification, while requests to limit or opt out do not. That’s because the possible harm to consumers "resulting from an imposter accessing, deleting, or changing personal information maintained by the business is minimal or nonexistent for" the latter two types of requests, the privacy agency said. "Requiring verification for the processing of" limit or opt-out requests "impairs or interferes with the Consumer’s ability to exercise those rights,” and the CCPA prohibits request methods “that substantially subvert[s] or impair[s] the Consumer’s autonomy, decisionmaking, or choice."

In 2023, from July 1 through Sept. 23, Honda required at least 119 consumers to provide more information than necessary, denying at least 20 requests "by unlawfully requiring the Consumer to Verify themselves before processing the request,” said the CPPA order.

During the same time period, the company required at least 14 consumers "to directly confirm with Honda that they had given their Authorized Agents permission" to make those requests on their behalf, a burdensome step that CCPA doesn’t require, the agency said.

The CPPA also slapped Honda for lacking a symmetrical mechanism for turning advertising cookies off and on. The Honda website’s cookie management pop-up requires two steps to disallow each type of cookie -- one click to toggle off and a second to confirm -- but only one step to turn them back on, the agency said. After the consumer turns cookies off, the interface provides an "Allow All" button despite earlier providing no button to reject all cookies, it added.

"Businesses must design and implement methods for submitting CCPA requests that are easy to understand, provide symmetry in choice, avoid language or interactive elements that are confusing to the Consumer, avoid choice architecture that impairs or interferes with the Consumer’s ability to make a choice, and are easy to execute,” the order explained. “Symmetry in choice means that the path for a Consumer to exercise a more privacy-protection option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the Consumer’s ability to make a choice."

Honda’s relationships with ad tech vendors were problematic, too, said the CPPA. "Despite Collecting, Selling, Sharing, and disclosing Personal Information with these advertising technology companies, Honda could not produce contracts with these advertising technology companies,” it said. “Honda’s failure to implement these safeguards has unnecessarily placed Consumers’ Personal Information at risk."

While the CPPA tied the Honda action to a sweep of car companies, “I didn’t see anything in the order itself that was specific to the automotive industry,” said Kelley Drye’s Burstein. “The message here is broader, and there was a lot of focus on the consent management tool that OneTrust provides, and that certainly sweeps across a much broader range of companies than just one industry.”

The CPPA honed in on how Honda handled do-not-sell requests and used “consent managers that are in widespread use by many companies,” said Burstein. Any company that uses a consent manager should note the CPPA taking issue with requiring two steps to opt out while only one to opt back in, he said. “Another thing that jumped out,” said Burstein, was that the CPPA assessed the maximum penalty of $2,500 per violation to get to the $632,500 total.

The Electronic Frontier Foundation hopes this action is “the tip of the iceberg” in the CPPA’s auto privacy sweep, staff attorney Mario Trujillo said in an email. It’s “difficult for consumers to protect their privacy online and even harder in cars.” The settlement shows the agency “is getting serious about enforcement,” the EFF lawyer added. “California's privacy law took effect in 2020 but has rarely been publicly enforced. That seems to be changing for the better.”

The California order is "a concrete way to show a common set of harmful data practices -- collect so much more than you might need, keep it around, make it tough and unclear to understand or control what’s being collected, and freely capitalize on the sale of that data when convenient," emailed Ben Winters, Consumer Federation of America data privacy director. "This is a strong enforcement action that should send a message to data controllers that these dots are well-connected."

"We are dedicated to holding businesses accountable when their practices threaten Californians’ privacy rights,” said Tiffany Garcia, CPPA interim executive director. “This agreement underscores our commitment to advocating for improved business practices that truly benefit consumers.”