What Companies Need To Know From the California Privacy Protection Agency’s First CCPA Enforcement Action

On March 12, the California Consumer Privacy Protection Agency (“Agency”) announced it had entered into a settlement (“Settlement”) with American Honda Motor Company (“Honda”) to resolve the Agency’s claims that Honda violated the California Consumer Privacy Act (“CCPA”). The total fine to be paid by Honda is $632,500. The investigation came out of the Agency’s Enforcement Division’s focused review of privacy practices of connected vehicles and related technologies announced in July 2023. That review highlighted vehicles with embedded features such as location sharing, smartphone integration, and cameras, and we expect more automotive related Agency settlements to be issued in the near future.

Even though the Settlement arose from the connected vehicle initiative, the Settlement itself does not focus on connected vehicles, instead alleging violations of privacy rights that are applicable to all entities subject to CCPA. As a result, any company processing personal information belonging to California consumers should look to the allegations made by the Agency and evaluate their own privacy compliance program in order to avoid similar Agency claims. Automakers with connected vehicles and related technologies in particular should review their privacy program and make appropriate changes in light of this settlement.

Some of the key takeaways from the Settlement are:

Volume of Violations Does Not Matter: The Agency makes clear through their claims and settlement with Honda that there is no minimal number of violations by a company needed in order for the Agency to pursue enforcement actions. Even though the charges were directed to a larger company (Honda is alleged to annually sell or share the personal information of 100,000 or more consumers or households), the number of alleged violations was fairly minimal. For example, the Agency alleged in its order (the “Order”) that Honda required at least 119 consumers to provide more information than necessary to submit a request to opt out of sale/sharing and/or a request to limit the use of sensitive personal information—a remarkably small percentage of Honda’s overall data volume.

The Agency broke down the total fine per violation and violation number, with $382,500 of the fine due to conduct toward a total of 153 consumers. Given the volume of consumers affected compared to the number of consumers' personal information processed by Honda, companies should not assume that the Agency is unlikely to target them or bring enforcement actions simply because they are processing a smaller number of consumers or perhaps have a smaller number of potential violations of CCPA. Given that this is the Agency’s first set of targeted reviews and enforcement activity, it is likely that the Agency is attempting to ensure that companies understand that the Agency is serious about its enforcement.

One Form for Collection of Information to Respond to Consumer Requests Is Likely Not Tailored for CCPA: The Settlement suggests that companies will need to amend their personal information collection practices to collect only the personal information needed in order to respond to the specific consumer request. There are multiple requests that a consumer can make under CCPA; however, not all requests require the company to verify the consumer’s identity (e.g., requests to opt out of the sale or sharing of personal information). In Honda’s case, it was targeted for using one form which asked for the same personal information regardless of the type of consumer request, despite not needing such information to process some requests, including those that did not require verification. In particular, the Agency noted in its order that “Honda’s process for submitting CCPA requests failed to distinguish requests that required verification and those that did not. Honda used the same webform for both types of requests with no differences in the information required to process them.”

The Agency claimed that this violated the CCPA by seeking unnecessary information from the consumer and impaired or interfered with the consumer’s right to exercise their rights by requiring verification when verification was not necessary. Thus, companies will need to re-evaluate the process they are using to process and validate rights requests, and should avoid using a single, universal form that collects additional information from all consumers regardless of whether verification is necessary.

To address this issue, the Order requires Honda to engage a user experience (UX) designer to evaluate its method for submitting requests and to “make recommendations on how to ensure that methods for submitting CCPA Requests are easy to use and avoid language and interactive elements that are confusing to a reasonable Consumer.” Based on this requirement, there now appears to be an affirmative obligation on companies to ensure that they have sought feedback from consumers on the ease of use of their websites for submitting consumer requests.

Opt-In and Opt-Out Choices Need to be Symmetrical: Since CCPA’s inception, companies have struggled with how to address opt-ins and opt-outs, relying on vendors to support their offers of consumer choice. Based on the Agency’s order, it appears that certain standard practices will need to be changed.

In Honda’s case, to turn off any advertising cookies, the consumers were required to take two steps (click to manage cookies, then click again to turn off specific cookie choices such as advertising or functional cookies), whereas to allow advertising cookies they only needed to click one button, “allow all.” This asymmetry of number of steps was found to be problematic: “[A] choice is not symmetrical when a business’s process for submitting a Request to Opt-out of Sale/Sharing requires more steps than that business’s process for a Consumer to opt-in to the sale of Personal Information after having opted out.” More specifically, “[a] website banner that provides only two options when seeking Consumers’ consent to use their Personal Information—such as “Accept All” and “More Information,” or “Accept All” and “Preferences”—is not equal or symmetrical.” In its order, the Agency required Honda to include a “Reject All” button to facilitate symmetry. The Agency appears to now require companies to revisit their opt-in/opt-out practices with their vendors to ensure the symmetry that the Agency is requiring, including considering adding a “Reject All” button where there is an “Accept All” button.

Companies Cannot Require Verification of Authorized Agents Where No Verification is Required of the Consumer: In addition to requiring verification of the consumer where the Agency alleged it was inappropriate, Honda also required consumers who had authorized agents to exercise their right to verify that the consumer had, in fact, authorized the agent. Where a company cannot require a verification of the consumer, it cannot also require a verification from the consumer that they have authorized an agent to exercise their rights (e.g., exercising a right to opt-out of sale or sharing). In Honda’s case, it included a check box on its form for authorized agents to check if they were making the request on behalf of a consumer, and required the agent to submit verification of their own identity, a copy of a lawful power of attorney or proof of written permission to act on the consumer's behalf. However, the verification request went to the consumer, not to the agent. The Agency found this to be impermissible, stating that “businesses may not require the Consumer to directly confirm that they have provided the Authorized Agent permission to submit the request.” Companies can only seek verification where CCPA requires verification from the consumer. If a company has a practice of verifying that the authorized agent of the consumer is authorized in all circumstances, the company will need to modify that practice to only seek such verification where it would need verification of the consumer’s identity for that same request.

Know Your Vendor: Like many companies, Honda sold, shared, or disclosed personal information to advertising technology companies. Per the CCPA, such companies are required to enter into agreements with those entities that contain certain provisions to protect consumers (often referred to as a Data Privacy Agreement/Addendum) (“DPA”). Per the statute, DPAs “must identify the limited and specified purposes for which the Personal Information can be used and must limit the recipient’s use of the Personal Information for only those purposes.” DPAs must also require the recipient to comply with the CCPA and provide the “same level of privacy protection” as required of businesses by the CCPA, among other things.

Because Honda was unable to produce contracts with an unidentified number of advertising technology companies, the Order requires Honda to “modify its contract management and tracking process to ensure that all required contractual terms are in place with all external recipients of Personal Information” and to confirm within 180 days that all required contractual terms were in place with “all external recipients of Personal Information.” Even though the Order focused on the failure to include these terms with advertising technology companies, it required this confirmation for all external recipients. Consequently, companies should ensure that they have reviewed and mapped where any California consumer personal information is being provided and ensure that any agreements have the required CCPA terms in those contracts. If they do not, such companies should amend those contracts. Companies should also ensure that any existing internal templates also contain these same terms.

Conclusion

The Settlement represents a significant step in California’s enforcement of the CCPA, providing additional clarity on how companies are expected to comply. Companies should review their own practices to ensure that those are aligned with Agency expectations. Crowell is monitoring for additional Agency activity, including additional settlements. Crowell attorneys are available to assist you in reviewing your current practices and policies and helping to align with the CCPA and any Agency actions or activity.