Key Takeaways:

• CPPA launched its first major enforcement action in targeting connected vehicle-maker Honda.
• Connected vehicles often collect various kinds of sensitive driver information, including geolocation, biometric and behavioral data.
• After the CPPA found Honda in violation of several CCPA provisions, the company agreed to settle the enforcement action for approximately $650,000 while also agreeing to adopt certain remedial measures.
• Other Connected vehicle-makers have also experienced a spike in regulatory scrutiny, signaling rising enforcement pressure and growing expectations for privacy-by-design.

CPPA’s Investigation into Connected Cars 

In 2023, the California Privacy Protection Agency (“CPPA”) commenced a formal investigation into the data privacy practices of vehicle manufacturers (the “Investigation”), focusing primarily on the collection, use, and disclosure of personal information by “connected vehicles.” 

Connected vehicles are vehicles equipped with technologies able to capture, among other kinds of consumer information, geolocation, biometric and behavioral data, including global positioning systems (“GPS”), telematics sensors, onboard cameras and smartphone integrations. With over 35 million registered vehicles in California and the rapid growth of these technologies in newer vehicles, automakers must educate themselves about the growing privacy concerns presented by these connected vehicles, especially where these technologies are still linked to third party service providers.

The Investigation marks the CPPA’s first formal inquiry since gaining full enforcement authority on July 1, 2023, and seeks to determine whether automakers were complying with key provisions of the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). Specifically, the agency is examining whether these vehicle manufacturers: (i) provide sufficient notice; (ii) obtain valid consent; (iii) limit data collection consistent with data minimization principles; and (iv) maintain transparency around third-party data sharing practices. See Cal. Civ. Code § 1798.

CPPA’s inquiry underscores the agency’s intent to promote accountability among manufacturers and to ensure consumers retain meaningful control over their personal data.

Honda’s Privacy Violations and Settlement Terms

On March 12, the CPPA announced its first public enforcement action based on the Investigation[FAM3]. The action stemmed from a series of purported CCPA violations regarding American Honda Motor Co., Inc. (“Honda” or the “Company”)’s handling of consumer privacy rights. The CPPA found that:

• Honda unlawfully interfered with consumers’ ability to exercise their data rights. For example, Honda required consumers to provide excess personal information even when such verification was not legally necessary. The CPPA determined that these burdensome conditions discouraged or delayed valid privacy requests, violating the CCPA’s intent to grant consumers meaningful control over their personal information without unreasonable obstacles.
• Honda’s interface steered users toward surrendering their privacy rights. For example, Honda’s online privacy rights platform was designed in a way that made it easier for consumers to opt in to the sale of their personal information, while creating friction for those attempting to opt out. This unequal treatment of consumer choices violated CCPA’s requirement that options be presented in a fair and neutral manner. 
• Honda did not provide clear or accessible methods for consumers to authorize third-party representatives (i.e., “authorized agents”) to act on their behalf. The CPPA determined that this omission weakened an essential mechanism intended to support the exercise of privacy rights, which limited consumers ability to benefit from guaranteed privacy protections.
• Honda failed to produce contracts with its advertising technology vendors that included the required privacy safeguards, raising serious concerns about whether the Company had properly limited how third parties could use, retain, or disclose consumer information as required under California law.

The CPPA enforcement action against Honda concluded with a settlement order (the “Order”) in which the Company agreed to pay $632,500 in monetary penalties and undertake significant reforms to its data privacy practices, including (i) creating a streamlined process for privacy rights requests, (ii) engaging a user experience designer to ensure the system meets CCPA fairness standards, (iii) training employees on proper handling of privacy requests, and (iv) revising contracts with third-party data recipients to include all required privacy protection clauses.

The Order also mandates several technical upgrades to Honda’s privacy infrastructure. For instance, Honda must establish separate processes for verifiable and non-verifiable privacy requests to reduce barriers to opting out. It must also add a “Reject All” button to its cookie management tool to ensure that privacy-protective choices are as accessible as opt-in options.

Broader Privacy Concerns in the Automotive Industry

Federal regulators and certain states, like Texas, have launched investigations into the data privacy practices of automakers, focusing on how personal information, such as driving behavior, is collected and shared with third party insurance companies. Recently Ford, Hyundai, Toyota and Fiat Chrysler Automobiles, were sent letters by the Texas Attorney General’s Office demanding sworn answers about how they collect, share and sell consumer data. 

Other major automakers have also faced privacy controversies. Earlier this year, Tesla was sued over allegations that employees accessed and shared images and videos recorded by customers’ vehicles without their consent. Yeh v. Tesla, Inc.

California lawmakers are taking action to regulate in-vehicle data collection, including, for example, by restricting the collection and use of images and videos captured by in-car cameras.

Looking Ahead: CPPA’s Growing Role in Consumer Privacy

The CPPA is actively enforcing its authority across all industries, with penalties ranging from $2,500 to $7,500 per violation. The Honda settlement marks a clear warning: as connected devices like vehicles continue to harvest large volumes of personal data, the cost of noncompliance will continue to rise. In today’s fragmented U.S. privacy landscape, businesses must ensure they offer consumers clear, meaningful choices around data use. Working closely with legal counsel is essential to stay ahead of regulatory changes — because in this new era of enforcement, transparency and trust are no longer best practices; they’re legal imperatives.