CPPA Reaches Settlement with Honda Over Connected Vehicle Privacy

Gregory J. Leighton

Email

312-873-3660

Bio and Articles

Aaron A. Ogunro

Email

312-463-6331

Bio and Articles

Ashleigh Bickford

Email

816.360.4372

Bio and Articles

Find Your Next Job !

Litigation Manager - General Liability

Trial Attorney - Indiana - (Remote)

Health Law Attorney

Marketing Manager
PLI Practising Law Institute

Explore More Job Openings

What Honda's CCPA Penalty Means for Your Privacy Compliance

by: Gregory J. Leighton, Aaron A. Ogunro, Ashleigh Bickford of Polsinelli PC - Alerts

Monday, March 17, 2025

Print Mail Download info_icon_img

/>i

The California Privacy Protection Agency (CPPA) has reached a settlement with American Honda Motor Co., Inc. (Honda), as outlined in this Order of Decision. The Order is the CPPA’s first public enforcement action involving a significant monetary penalty of $632,500, arising from its investigation into the privacy practices of connected vehicle manufacturers that began in July 2023.

The CPPA asserted that Honda violated the California Consumer Privacy Act (CCPA) by requiring consumers to undergo an extensive identity verification process, including for requests where verification is not permitted under the CCPA. Honda’s process for accepting data subject requests through authorized agents also included unnecessary and non-permitted steps.

Additionally, the CPPA asserted that Honda’s cookie management platform violated the CCPA, as it required a two-step process for opting out of advertising cookies and tracking technologies while consenting (or reconsenting) to cookies required just a single click, making it more burdensome to opt out of, rather than consent to such data processing. Honda was also unable to produce any of its contracts with third party advertising vendors to show that they were implementing the required contractual provisions under the CCPA.

To resolve the CPPA’s allegations, Honda has agreed to pay $632,500 in monetary penalties and revise its privacy practices, including implementing a simpler process for consumers to exercise their privacy rights, minimizing data collection for verification purposes and modifying its contract management and tracking processes.

The CPPA’s Order signals an intent to hold businesses accountable for their data subject request processes. Below are some steps you can take to ensure compliance and mitigate the risk of similar penalties:

Revisit your process for responding to data subject requests and ensure that your verification process is appropriately tailored.
Review (or implement) a process for receiving, verifying and responding to data subject requests.
Review your contracts with vendors to confirm they include the required provisions.
Assess (or implement) your cookie management platform to ensure opt-out processes are simple and symmetrical.