Honda settles with CPPA over privacy violations: Automaker to change business practices and pay $632,500 fine

In a landmark privacy enforcement action, the California Privacy Protection Agency (CPPA) has reached a settlement with American Honda Motor Co. (“Honda”) following allegations that the automaker violated the CCPA. The settlement, announced on March 12, requires Honda to pay a $632,500 fine and implement significant changes to its privacy practices to comply with the law.

The CPPA’s enforcement division initiated its investigation into Honda in July 2023 as part of a broader review of data privacy practices in the connected vehicle industry. The agency assessed whether automakers were handling consumer data in compliance with CCPA regulations. Honda was found to have engaged in multiple violations of consumer privacy rights, leading to the enforcement action.

According to the CPPA, Honda committed four primary violations. First, it required consumers to provide excessive personal information when exercising their privacy rights, even in situations where verification was not legally necessary. The CCPA allows consumers to opt out of the sale or sharing of their personal data without undergoing an identity verification process, yet Honda’s system imposed unnecessary burdens on consumers attempting to exercise this right. Second, the agency found that Honda’s online privacy rights management platform lacked fairness and symmetry, making it easier for consumers to opt into data sales while making it more difficult to opt out. This practice violated Section 7004(a)(2) of the CCPA regulations, which mandates that privacy choices must be presented in a neutral and equal manner.

The third violation involved Honda’s failure to provide a user-friendly process for consumers to authorize third parties, known as “authorized agents,” to exercise privacy rights on their behalf. This deficiency made it significantly more difficult for consumers to take advantage of their legal protections. Finally, the CPPA determined that Honda failed to produce contracts with its ad tech providers that included the required privacy safeguards. These contracts are crucial for ensuring that third parties receiving consumer data adhere to legally mandated privacy protections.

To resolve the allegations, Honda has agreed to pay a $632,500 fine. Of this amount, $382,500 accounts for specific violations affecting 119 consumers who were required to provide unnecessary information, 20 consumers whose opt-out requests were denied due to improper verification requirements, and 14 consumers who were forced to confirm with Honda directly that they had authorized an agent to act on their behalf. The remaining fine was imposed for Honda’s failure to comply with contractual privacy requirements.

Beyond the financial penalty, Honda is required to implement multiple compliance measures, including:

• Introducing a new, streamlined process for consumers to submit privacy rights requests
• Consulting a user experience (UX) designer to review and enhance its privacy request submission system to ensure it aligns with CCPA fairness standards.
• Provide employee training on CCPA compliance, ensuring that its staff fully understands and correctly handles consumer privacy requests
• Revise its contracting process with third-party recipients of consumer information, guaranteeing that all agreements contain the required privacy protection clauses
• Certify its compliance with these corrective actions and provide evidence of implementation

The CPPA’s enforcement order mandates that Honda make specific technical improvements to its privacy system. This includes:

• Having separate methods for submitting verifiable and non-verifiable requests to ensure consumers can opt out of data sharing without unnecessary steps
• Modifying its cookie management tool by adding a “Reject All” button to ensure that privacy-protective choices are as easy to execute as opt-in options
• Updating its systems to recognize and comply with the Global Privacy Control signal for known consumers

The CPPA’s enforcement action underscores its growing focus on data privacy violations in the automotive industry. With modern vehicles collecting and processing vast amounts of consumer data, automakers must prioritize privacy compliance or risk facing substantial fines and reputational harm.

The financial penalties associated with CCPA violations can be significant. Under the law’s penalty structure, administrative fines can reach up to $2,500 per violation and $7,500 per intentional violation, with adjustments for inflation. In Honda’s case, the fine amount suggests that the enforcement division considered multiple violations affecting a significant number of consumers. This enforcement action serves as a warning to companies that failing to comply with California’s privacy laws can lead to serious financial and legal repercussions.

For California consumers, the Honda settlement represents a meaningful step toward enforcing their privacy rights. As a result of the CPPA’s action, Honda must now provide a clearer and more accessible privacy rights system, ensuring that consumers can exercise their rights without unnecessary hurdles. The settlement also sets a precedent for other automakers and technology companies, reinforcing the principle that privacy compliance is not optional but a legal requirement. The recent enforcement actions are likely to serve as a warning to other companies that handle consumer data, emphasizing the necessity of fair, transparent, and accessible privacy practices.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.