On March 7, 2025, the California Privacy Protection Agency (“CPPA”), which is tasked with enforcing the California Consumer Privacy Act (“CCPA”) entered a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”), fining Honda $632,500. This Order is instructive as to CPPA’s views on various topics covered by the CCPA. Among other things, the Order makes clear that:
1. As it relates to the rights to opt-out of selling or sharing personal information or to limit the use of sensitive personal information, the CCPA does not require consumers to: (a) verify their identity to exercise such rights; or (b) verify that the consumer gave his/her agent authority to make such request. Moreover, the CCPA does not allow a company to request excess personal information from a consumer to exercise these rights.
The Order makes clear that these rights, unlike the rights to know, correct and delete, are not subject to verification. According to the Order, “these requests are not verifiable because the potential harm to Consumers resulting from an imposter accessing, deleting, or changing personal information maintained by the business is minimal or nonexistent for Requests to Opt-Out of Sale/Sharing and Requests to Limit” and that “[a]t most, businesses may ask Consumers for information necessary to complete the request, such as information necessary to identify the Consumer within their systems, but they may not ask Consumers for more information than necessary to process their requests.”
As to agency, the Order states that “[t]he CCPA’s prohibition on requiring verification for Requests to Opt-Out of Sale/Sharing and Requests to Limit applies equally to requests submitted by the Consumer’s Authorized Agent. Businesses may ask the Consumer’s Authorized Agent to provide the Consumer’s signed permission demonstrating that they have been authorized to act on the Consumer’s behalf. . . However, businesses may not require the Consumer to directly confirm that they have provided the Authorized Agent permission to submit the request. Businesses may contact Consumers directly in that manner only for Verifiable Consumer Requests.”
2. The CCPA does not authorize companies to request excess information from consumers to exercise other rights (e.g., right to know, correct or delete) and requiring such excess information violates the CCPA.
As it related to Honda, the Order states that “although Honda generally needs only two data points from the Consumer to identify the Consumer within its database, Honda’s verification process for Verifiable Consumer Requests requires the matching of more than two data points. Thus, Honda requires more information than necessary.”
3. A cookie management tool (“CMT”) that does not provide consumers symmetrical choices violates the CCPA.
Specifically, the Order states that since a consumer must go through more steps to disable a cookie than to enable it, the options provided are improper because “[s]ymmetry in choice means that the path for a Consumer to exercise a more privacy-protection option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option” and that “a choice is not symmetrical when a business’s process for submitting a Request to Opt-out of Sale/Sharing requires more steps than that business’s process for a Consumer to opt-in to the sale of Personal Information after having opted out.” Moreover, “[a] website banner that provides only two options when seeking Consumers’ consent to use their Personal Information—such as “Accept All” and “More Information,” or “Accept All” and “Preferences”—is not equal or symmetrical.” A “Reject All” option would make the choice symmetrical.
4. A company that discloses personal information to others without having in place contracts that contain the necessary terms required by the CCPA and the CCPA regulations violates the CCPA.
5. Violation of each of the foregoing subjects the business to statutory fines and remediation orders. In this case, the Order requires Honda to pay a fine of $632,500 of which $382,500 are for an alleged 153 consumer rights violations (i.e., the maximum $2,500 per non-intentional violation) and requires Honda to take a number of affirmative steps to correct the violations.