Last week, the California Privacy Protection Agency (CPPA) settled its first non-data broker enforcement action against American Honda Motor Co. for a $632,500 fine and the implementation of certain remedial actions.

The CPPA alleged that Honda violated the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively the CCPA) by:

1. Requiring consumers to provide more information than necessary to exercise their rights under the CCPA. When submitting a request, a consumer is required by Honda’s webform to provide their first name, last name, address, city, state, zip code, email, and phone number. The CPPA alleged that this violated the CCPA by requiring a higher level of verification than required for an opt-out or to limit the use of certain information requests.
2. Requiring consumers to directly confirm that they have permitted another individual to act as their authorized agent to submit a request to opt-out or limit use. While a company may request written documentation indicating that an individual is an authorized agent for a consumer, a company may not require a consumer to directly confirm that they have provided the permission; companies may only contact consumers directly for requests to know, access, and correct.
3. Failing to implement a cookie management tool that provides symmetrical choice when a consumer submits requests to opt-out of sale and/or sharing and consents to the use of their personal information. The CPPA alleged that Honda’s website automatically allows cookies by default. To turn off advertising cookies, the user must toggle a button next to “Advertising Cookies” and then click “Confirm my Choices,” but to opt back into advertising cookies, the consumer only needs to press one button. The CPPA alleges that by providing one step to opt-in but two steps to opt-out, Honda did not provide equal or symmetrical choices as the CCPA requires.
4. Failing to execute written contracts with third-party advertising companies with whom it sold, shared, and/or disclosed consumer personal information. The CPPA alleged that Honda failed to execute CCPA-compliant agreements with the third-party cookie providers it uses on its website and that it sells, shares, and/or discloses personal information for advertising and marketing across different websites.

To resolve the allegations, Honda agreed to:

• Implement a new and simpler process for Californians to assert their privacy rights
• Update its cookie preference tool to include a “Reject All” button in addition to the “Accept All” button
• Separate the methods for submitting requests to opt-out and limit the use of certain information from other rights under the CCPA
• Train its employees
• Consult a user experience designer to evaluate its methods for submitting privacy requests

The settlement amount is supported by the CPPA by calling out the number of consumers whose rights were implicated by some of Honda’s practices, which emphasizes that the CPPA will determine a fine on a per-violation basis. If your company hasn’t done so already, be sure to update your CCPA compliance program and dot the “I’s” and cross the “t’s” when it comes to your website’s privacy policy regarding cookie preferences and third-party advertisers.