Skip to content

Landmark Privacy Law Enforcement Settlement Highlights Costs of Non-Compliance

1 May 2025 | ZAC SOTO

Introduction and Summary of Settlement

In a landmark development for data privacy enforcement in California, the California Privacy Protection Agency (“CPPA”) has reached a settlement with American Honda Motor Co., Inc.  under the California Consumer Privacy Act (“CCPA”). Under the terms of the settlement, one of the first of its kind (particularly relating to covered entities that are not “Data Brokers” under California law), the CPPA imposed a fine of $632,500 against American Honda Motor Co., Inc. (“Honda”), with the settlement amount stemming from multiple alleged violations of the CCPA. The calculation of this administrative fine is derived from 153 identified violations of the CCPA by Honda. Notably, while this number of violations reflected a small fraction of Honda’s consumer interactions, the CPPA emphasized that even minor percentages of violations are actionable, reinforcing the agency’s strict compliance expectations.

Additionally, Honda was required to consult a user experience designer in order to implement new and simpler processes for Californians to assert their privacy rights (including compliance with CPPA mandated changes), certify compliance with the state as to making designer-suggested changes, and train Honda personnel with respect to CPPA mandated privacy processes. This action serves as a critical reminder to businesses of all sizes that compliance with California’s privacy laws must be taken seriously — and that enforcement is no longer theoretical.

Overview of Violations

According to the CPPA’s Order of Decision, Honda was found to have violated several provisions of the CCPA. Key violations include:
  • Asymmetrical Cookie Consent Mechanisms:  Honda’s cookie management tool allowed consumers to permit all cookies with a single click of an “Allow All” button, while rejecting cookies required consumers to select which individual categories of cookies would be rejected and subsequently click a “Confirm My Choices”.  This violated the CCPA’s requirement that consumer choice mechanisms regarding data privacy be “symmetrical,” meaning that a consumer’s ability to allow or disallow cookies, or to exercise or decline to exercise CCPA data privacy rights, should follow substantially identical processes.  In this case, the fact that Honda’s process for allowing cookies required a single button click, as opposed to the process for rejecting cookies requiring multiple consumer decisions, resulted in prohibited asymmetry in consumer choice mechanisms.
  • Overly Burdensome Consumer Request Processes: Honda improperly required consumers to fill out eight data fields for identity verification purposes in order to exercise their rights to opt-out of the sale or sharing of their personal information or to limit the use of sensitive personal information.  Unlike the consumer rights to delete, correct, or request and receive personal information, which all require covered processors to verify the identity of the consumer requesting to exercise such rights, requests to opt-out of the sale or sharing of personal information or to limit usage of sensitive personal information do not require verification, and in fact such verification requirements are prohibited under the CCPA.  The CPPA determined that this created undue and prohibited burdens on consumers seeking to exercise their data rights under the CCPA.
  • Failure to Maintain Contracts with Advertising Partners: Honda was unable to produce contracts with certain advertising technology partners with whom it had shared personal information, violating CCPA requirements that covered entities sharing personal information with third parties enter into agreements containing CCPA mandated provisions designed to protect such personal information.

Practical Takeaways for Businesses

  1. Prioritize Symmetry in Consumer Choice Mechanisms
    Businesses must ensure that consumers can exercise their choices (such as opting out of cookies or data sales) as easily as opting in. “Dark patterns” — user interfaces designed to make opting out of data sharing or exercising of privacy rights more difficult — are now a major enforcement focus.

  2. Simplify and Tailor Consumer Request Verification
    Organizations should design processes that collect only the minimal amount of data necessary to verify consumer identities, and only require verification where such verification is required for exercise of privacy rights under the CPPA. The CPPA affirmed in its settlement that over-collection of information and imposition of inappropriate verification processes for exercise of consumer rights under the CCPA represented a violation of the CCPA.

  3. Audit and Formalize Third-Party Contracts
    Businesses must review and maintain formal contracts with all service providers and advertising partners that process personal information on their behalf. These contracts should contain specific CCPA-mandated provisions, and businesses should collaborate with data privacy counsel to ensure legal compliance.

  4. Elimination of the “Right to Cure” Previously, businesses had a statutory 30-day opportunity to cure violations. However, following amendments to the CCPA, the right to cure has been eliminated. The Honda settlement reflects this shift: no mention was made of an opportunity to cure being offered. Because the right to cure is now discretionary rather than mandatory, businesses should proactively address potential compliance gaps. Relying on regulators to provide notice and cure periods is no longer a viable strategy.

  5. Treat CCPA Compliance as a Company-Wide Initiative
    The Honda case underscores that CCPA compliance is not limited to a company’s legal team. Marketing, IT, and product development departments must all work in concert to ensure privacy standards are embedded into their operations. Appropriate personnel training regarding privacy standards are an essential part of ensuring proactive legal compliance with privacy laws.

  6. Review Cookie Management Tools and Consent Practices
    Many businesses, especially those relying on third-party cookie solutions, should reassess whether their platforms comply with the CCPA’s consent requirements. It is no longer acceptable to have opt-outs hidden or more difficult to exercise than opt-in mechanisms.

Conclusion

The CPPA’s first enforcement action under the CCPA hammers home that proactive and comprehensive privacy compliance is now a cost of doing business in California. Business owners should view the Honda settlement not as an isolated event, but as a clear indicator of future enforcement trends.
To navigate this rapidly evolving landscape, businesses must proactively audit their data practices, update consumer-facing tools, simplify verification processes, and ensure all third-party relationships are governed by compliant contracts. Early action can help mitigate enforcement risks, protect customer trust, and position businesses for success in the new era of privacy accountability.
The team at PAG Law remains available to assist in reviewing your company’s CCPA compliance strategy or in responding to consumer requests.

Landmark Privacy Law Enforcement Settlement Highlights Costs of Non-Compliance

1 MAY 2025 | ZAC SOTO

Introduction and Summary of Settlement

In a landmark development for data privacy enforcement in California, the California Privacy Protection Agency (“CPPA”) has reached a settlement with American Honda Motor Co., Inc.  under the California Consumer Privacy Act (“CCPA”). Under the terms of the settlement, one of the first of its kind (particularly relating to covered entities that are not “Data Brokers” under California law), the CPPA imposed a fine of $632,500 against American Honda Motor Co., Inc. (“Honda”), with the settlement amount stemming from multiple alleged violations of the CCPA. The calculation of this administrative fine is derived from 153 identified violations of the CCPA by Honda. Notably, while this number of violations reflected a small fraction of Honda’s consumer interactions, the CPPA emphasized that even minor percentages of violations are actionable, reinforcing the agency’s strict compliance expectations.

Additionally, Honda was required to consult a user experience designer in order to implement new and simpler processes for Californians to assert their privacy rights (including compliance with CPPA mandated changes), certify compliance with the state as to making designer-suggested changes, and train Honda personnel with respect to CPPA mandated privacy processes. This action serves as a critical reminder to businesses of all sizes that compliance with California’s privacy laws must be taken seriously — and that enforcement is no longer theoretical.

Overview of Violations

According to the CPPA’s Order of Decision, Honda was found to have violated several provisions of the CCPA. Key violations include:
  • Asymmetrical Cookie Consent Mechanisms:  Honda’s cookie management tool allowed consumers to permit all cookies with a single click of an “Allow All” button, while rejecting cookies required consumers to select which individual categories of cookies would be rejected and subsequently click a “Confirm My Choices”.  This violated the CCPA’s requirement that consumer choice mechanisms regarding data privacy be “symmetrical,” meaning that a consumer’s ability to allow or disallow cookies, or to exercise or decline to exercise CCPA data privacy rights, should follow substantially identical processes.  In this case, the fact that Honda’s process for allowing cookies required a single button click, as opposed to the process for rejecting cookies requiring multiple consumer decisions, resulted in prohibited asymmetry in consumer choice mechanisms.
  • Overly Burdensome Consumer Request Processes: Honda improperly required consumers to fill out eight data fields for identity verification purposes in order to exercise their rights to opt-out of the sale or sharing of their personal information or to limit the use of sensitive personal information.  Unlike the consumer rights to delete, correct, or request and receive personal information, which all require covered processors to verify the identity of the consumer requesting to exercise such rights, requests to opt-out of the sale or sharing of personal information or to limit usage of sensitive personal information do not require verification, and in fact such verification requirements are prohibited under the CCPA.  The CPPA determined that this created undue and prohibited burdens on consumers seeking to exercise their data rights under the CCPA.
  • Failure to Maintain Contracts with Advertising Partners: Honda was unable to produce contracts with certain advertising technology partners with whom it had shared personal information, violating CCPA requirements that covered entities sharing personal information with third parties enter into agreements containing CCPA mandated provisions designed to protect such personal information.

Practical Takeaways for Businesses

  1. Prioritize Symmetry in Consumer Choice Mechanisms
    Businesses must ensure that consumers can exercise their choices (such as opting out of cookies or data sales) as easily as opting in. “Dark patterns” — user interfaces designed to make opting out of data sharing or exercising of privacy rights more difficult — are now a major enforcement focus.

  2. Simplify and Tailor Consumer Request Verification
    Organizations should design processes that collect only the minimal amount of data necessary to verify consumer identities, and only require verification where such verification is required for exercise of privacy rights under the CPPA. The CPPA affirmed in its settlement that over-collection of information and imposition of inappropriate verification processes for exercise of consumer rights under the CCPA represented a violation of the CCPA.

  3. Audit and Formalize Third-Party Contracts
    Businesses must review and maintain formal contracts with all service providers and advertising partners that process personal information on their behalf. These contracts should contain specific CCPA-mandated provisions, and businesses should collaborate with data privacy counsel to ensure legal compliance.

  4. Elimination of the “Right to Cure” Previously, businesses had a statutory 30-day opportunity to cure violations. However, following amendments to the CCPA, the right to cure has been eliminated. The Honda settlement reflects this shift: no mention was made of an opportunity to cure being offered. Because the right to cure is now discretionary rather than mandatory, businesses should proactively address potential compliance gaps. Relying on regulators to provide notice and cure periods is no longer a viable strategy.

  5. Treat CCPA Compliance as a Company-Wide Initiative
    The Honda case underscores that CCPA compliance is not limited to a company’s legal team. Marketing, IT, and product development departments must all work in concert to ensure privacy standards are embedded into their operations. Appropriate personnel training regarding privacy standards are an essential part of ensuring proactive legal compliance with privacy laws.

  6. Review Cookie Management Tools and Consent Practices
    Many businesses, especially those relying on third-party cookie solutions, should reassess whether their platforms comply with the CCPA’s consent requirements. It is no longer acceptable to have opt-outs hidden or more difficult to exercise than opt-in mechanisms.

Conclusion

The CPPA’s first enforcement action under the CCPA hammers home that proactive and comprehensive privacy compliance is now a cost of doing business in California. Business owners should view the Honda settlement not as an isolated event, but as a clear indicator of future enforcement trends.
To navigate this rapidly evolving landscape, businesses must proactively audit their data practices, update consumer-facing tools, simplify verification processes, and ensure all third-party relationships are governed by compliant contracts. Early action can help mitigate enforcement risks, protect customer trust, and position businesses for success in the new era of privacy accountability.
The team at PAG Law remains available to assist in reviewing your company’s CCPA compliance strategy or in responding to consumer requests.

Landmark Privacy Law Enforcement Settlement Highlights Costs of Non-Compliance

1 MAY 2025 | ZAC SOTO

Introduction and Summary of Settlement

In a landmark development for data privacy enforcement in California, the California Privacy Protection Agency (“CPPA”) has reached a settlement with American Honda Motor Co., Inc.  under the California Consumer Privacy Act (“CCPA”). Under the terms of the settlement, one of the first of its kind (particularly relating to covered entities that are not “Data Brokers” under California law), the CPPA imposed a fine of $632,500 against American Honda Motor Co., Inc. (“Honda”), with the settlement amount stemming from multiple alleged violations of the CCPA. The calculation of this administrative fine is derived from 153 identified violations of the CCPA by Honda. Notably, while this number of violations reflected a small fraction of Honda’s consumer interactions, the CPPA emphasized that even minor percentages of violations are actionable, reinforcing the agency’s strict compliance expectations.

Additionally, Honda was required to consult a user experience designer in order to implement new and simpler processes for Californians to assert their privacy rights (including compliance with CPPA mandated changes), certify compliance with the state as to making designer-suggested changes, and train Honda personnel with respect to CPPA mandated privacy processes. This action serves as a critical reminder to businesses of all sizes that compliance with California’s privacy laws must be taken seriously — and that enforcement is no longer theoretical.

Overview of Violations

According to the CPPA’s Order of Decision, Honda was found to have violated several provisions of the CCPA. Key violations include:
  • Asymmetrical Cookie Consent Mechanisms:  Honda’s cookie management tool allowed consumers to permit all cookies with a single click of an “Allow All” button, while rejecting cookies required consumers to select which individual categories of cookies would be rejected and subsequently click a “Confirm My Choices”.  This violated the CCPA’s requirement that consumer choice mechanisms regarding data privacy be “symmetrical,” meaning that a consumer’s ability to allow or disallow cookies, or to exercise or decline to exercise CCPA data privacy rights, should follow substantially identical processes.  In this case, the fact that Honda’s process for allowing cookies required a single button click, as opposed to the process for rejecting cookies requiring multiple consumer decisions, resulted in prohibited asymmetry in consumer choice mechanisms.
  • Overly Burdensome Consumer Request Processes: Honda improperly required consumers to fill out eight data fields for identity verification purposes in order to exercise their rights to opt-out of the sale or sharing of their personal information or to limit the use of sensitive personal information.  Unlike the consumer rights to delete, correct, or request and receive personal information, which all require covered processors to verify the identity of the consumer requesting to exercise such rights, requests to opt-out of the sale or sharing of personal information or to limit usage of sensitive personal information do not require verification, and in fact such verification requirements are prohibited under the CCPA.  The CPPA determined that this created undue and prohibited burdens on consumers seeking to exercise their data rights under the CCPA.
  • Failure to Maintain Contracts with Advertising Partners: Honda was unable to produce contracts with certain advertising technology partners with whom it had shared personal information, violating CCPA requirements that covered entities sharing personal information with third parties enter into agreements containing CCPA mandated provisions designed to protect such personal information.

Practical Takeaways for Businesses

  1. Prioritize Symmetry in Consumer Choice Mechanisms
    Businesses must ensure that consumers can exercise their choices (such as opting out of cookies or data sales) as easily as opting in. “Dark patterns” — user interfaces designed to make opting out of data sharing or exercising of privacy rights more difficult — are now a major enforcement focus.

  2. Simplify and Tailor Consumer Request Verification
    Organizations should design processes that collect only the minimal amount of data necessary to verify consumer identities, and only require verification where such verification is required for exercise of privacy rights under the CPPA. The CPPA affirmed in its settlement that over-collection of information and imposition of inappropriate verification processes for exercise of consumer rights under the CCPA represented a violation of the CCPA.

  3. Audit and Formalize Third-Party Contracts
    Businesses must review and maintain formal contracts with all service providers and advertising partners that process personal information on their behalf. These contracts should contain specific CCPA-mandated provisions, and businesses should collaborate with data privacy counsel to ensure legal compliance.

  4. Elimination of the “Right to Cure” Previously, businesses had a statutory 30-day opportunity to cure violations. However, following amendments to the CCPA, the right to cure has been eliminated. The Honda settlement reflects this shift: no mention was made of an opportunity to cure being offered. Because the right to cure is now discretionary rather than mandatory, businesses should proactively address potential compliance gaps. Relying on regulators to provide notice and cure periods is no longer a viable strategy.

  5. Treat CCPA Compliance as a Company-Wide Initiative
    The Honda case underscores that CCPA compliance is not limited to a company’s legal team. Marketing, IT, and product development departments must all work in concert to ensure privacy standards are embedded into their operations. Appropriate personnel training regarding privacy standards are an essential part of ensuring proactive legal compliance with privacy laws.

  6. Review Cookie Management Tools and Consent Practices
    Many businesses, especially those relying on third-party cookie solutions, should reassess whether their platforms comply with the CCPA’s consent requirements. It is no longer acceptable to have opt-outs hidden or more difficult to exercise than opt-in mechanisms.

Conclusion

The CPPA’s first enforcement action under the CCPA hammers home that proactive and comprehensive privacy compliance is now a cost of doing business in California. Business owners should view the Honda settlement not as an isolated event, but as a clear indicator of future enforcement trends.
To navigate this rapidly evolving landscape, businesses must proactively audit their data practices, update consumer-facing tools, simplify verification processes, and ensure all third-party relationships are governed by compliant contracts. Early action can help mitigate enforcement risks, protect customer trust, and position businesses for success in the new era of privacy accountability.
The team at PAG Law remains available to assist in reviewing your company’s CCPA compliance strategy or in responding to consumer requests.