/>iIt’s no surprise that the California Privacy Protection Agency (“CPPA”) has been active. They are making a strong case for being the most active state agency in the privacy arena.
Well, they just strengthened that claim in a Stipulated Final Order with American Honda Motor Company, Inc. (“Honda”) from last week. The CPPA claims that Honda’s practices were violations of the California Consumer Privacy Act and the claims are pretty surprising.
Not because they are egregious. But, mostly because it’s demonstrative of the fact that the CPPA is not giving points for “effort”.
- Honda required too much information from consumers to opt-out of sale/sharing of consumer data
The CCPA allows consumers certain rights. Included in these rights are the right to opt-out of the sale or sharing of personal information, right to limit the use of sensitive personal information, and the right to delete personal information.
Honda had created a Privacy Center page to allow consumers to manage how their personal data was handled. Because Honda needed to be able to verify the information from the consumer, certain questions were asked in an attempted effort to identify the consumer and manage their personal data.
However, the CPPA felt that Honda was asking too many questions. From the order: “although Honda generally needs only two data points from the Consumer to identify the Consumer within its database, Honda’s verification process for Verifiable Consumer Requests requires the matching of more than two data points.” (emphasis in original)
According to the CPPA, the design of Honda’s Privacy Center “impairs or interferes with the Consumer’s ability to exercise those rights. The CCPA prohibits businesses from designing methods for submitting CCPA Requests that substantially subverts or impairs the Consumer’s autonomy, decisionmaking, or choice.”
- Honda required too much information to allow third-party agents to opt-out on behalf of consumers
Consumers can allow third-party agents to exercise their privacy rights under the CCPA. And businesses can require the agents to a written authorization from the consumer to allow the third-party agents to do so.
But, businesses cannot “require the Consumer to directly confirm that they have provided the Authorized Agent permission to submit the request. Businesses may directly contact the Consumers directly in that manner only for Verifiable Consumer Requests.”
Honda, apparently, was treating all third-party requests the same and not limited the outreach to the consumer to the Verifiable Consumer Requests.
- Honda’s cookie management tool was not offering symmetrical choices
And now we enter the nit-picking section of the program.
(This is John’s opinion, not necessarily the opinion of TCPAWorld, but hey, I’m writing this, so I get to interject my opinion.)
Honda uses a third-party cookie management tool. It’s one of, if not THE, industry leader cookie management tool.
Cookie management menu pops up. And consumer has two clicks to turn off the advertising cookies: (1) click the toggle button, and (2) click the “Confirm my choices” button.
Seems reasonable.
However, if the consumer goes back to the cookie management tool at a later point, there is one button – an “Allow All” button. This button allows all the cookies to be turned back on in a single click.
THE HORROR.
Excuse me, while I clutch my pearls.
The CCPA said the single opt-in was not symmetrical in choice. “Symmetry in choice means that the path for a Consumer to exercise a more privacy-protection option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protection option because that would impair or interfere with the Consumer’s ability to make a choice.”
I get it. That’s the law. But, two clicks versus one click is absurd.
Especially, when the consumer can still opt out of individual categories of cookies in two clicks. It’s just the opt-in takes one click. (However, the user has to go back into the cookie management tool somehow, so arguably that’s an additional click.)
- Honda couldn’t provide the CPPA with their contracts with advertising vendors
The CCPA requires companies that collect and disclose personal information to vendors to have specific requirements in their contracts around personal information.
However, per the Stipulated Order, Honda could not produce the contracts.
OK, so that one’s clearly on Honda.
The big takeaways from this order:
- The CPPA is not joking. They are NOT going to give you points for trying to comply.
- The CPPA is very aggressive. The administrative fine is a total of $632,500. Of that amount, $382,500 accounts for Honda’s conduct to a total of 153 consumers.
Read that again.
One Hundred Fifty Three Consumers accounted for a fine of $382,500.
- Reliance on vendors is not going to save you from CCPA violations.
- Basic contract management = Keep copies of contracts and produce them.
