California Privacy Enforcement Alert: Honda Case Confirms Strict Privacy Compliance Expectations

Regulators Crack Down on CCPA Violations – What Legal and Compliance Teams Need to Know

The California Privacy Protection Agency (CPPA) has issued a significant enforcement order against American Honda Motor Co., Inc., highlighting key compliance failures under the California Consumer Privacy Act (CCPA). The case underscores the growing regulatory focus on consumer opt-out rights, dark patterns in cookie consent, and the mandatory enforcement of Global Privacy Control (GPC).

This enforcement action signals an escalation in privacy enforcement in California, with broader implications for businesses operating in the United States. Legal, privacy, and compliance professionals must take note of these findings to ensure their organizations remain compliant and mitigate legal risks.

Background: The Honda Enforcement Action

In Case No. ENF23-V-HO-2, the CPPA investigated Honda’s compliance with CCPA from January 1, 2023, to November 20, 2024. The agency identified multiple violations, resulting in a $632,500 penalty and a legally binding Stipulated Final Order requiring substantial privacy practice reforms.

Key violations included:

• Unlawful barriers to opt-out and data limitation requests
• Requiring unnecessary verification for authorized agent submissions
• Deceptive cookie consent interfaces (dark patterns)
• Failure to honor Global Privacy Control (GPC) signals
• Lack of compliant contracts with third-party advertising vendors

These violations illustrate how regulators are actively targeting business practices that make it difficult for consumers to exercise their privacy rights.

Key CCPA Compliance Failures in the Honda Case

1. Unlawful Burdens on Consumer Opt-Out and Data Limitation Requests

The CCPA provides consumers with the right to opt out of the sale or sharing of their personal information and to limit the use of sensitive personal data.

Regulatory Findings:

• Honda required consumers to provide excessive information (e.g., name, full address, phone number, and product VIN) before processing opt-out requests.
• This amounted to unlawfully requiring verification for rights that do not require consumer authentication under Cal. Code Regs. tit. 11, §§ 7026(d), 7027(e), 7060(b).
• At least 119 consumers were affected, with 20 requests improperly denied due to unnecessary verification requirements.

Legal Takeaway: Businesses cannot condition opt-out rights on excessive data collection or verification. Opt-out mechanisms must be frictionless, ensuring consumers can exercise their rights without undue burden.

2. Unauthorized Barriers for Requests Submitted by Authorized Agents

The CCPA allows consumers to appoint an authorized agent to submit privacy requests on their behalf. Businesses must process these requests without requiring the consumer to personally confirm the agent's authorization.

Regulatory Findings:

• Honda required consumers to directly confirm their authorization after an agent submitted a request—this is explicitly prohibited under Cal. Code Regs. tit. 11, §§ 7026(j), 7027(i), 7063(a).
• At least 14 consumers were improperly forced to personally verify their authorized agent's request before it was processed.

Legal Takeaway: Requiring direct consumer confirmation for an authorized agent’s request violates the CCPA. Businesses may request a signed authorization document from the agent, but they cannot require direct consumer interaction to approve the request.

3. Dark Patterns in Cookie Consent Interfaces

The CPPA ruling also addressed Honda’s use of a cookie consent management tool that created asymmetrical choices, making it more difficult for consumers to opt out of tracking than to opt in.

Regulatory Findings:

• Honda used OneTrust’s cookie management tool, which enabled all cookies by default (including advertising cookies).
• Consumers had to take at least two steps to opt out of tracking, whereas they could opt in with a single “Allow All” click.
• This design violated California’s prohibition on dark patterns, which requires symmetry in consumer choice under Cal. Code Regs. tit. 11, § 7004(a)(2).

Legal Takeaway: Businesses must ensure that cookie consent mechanisms do not create friction in opt-out processes. The path to reject tracking must be as simple as the path to accept it.

4. Failure to Honor Global Privacy Control (GPC) Signals

One of the most significant takeaways from this case is the CPPA’s explicit requirement that Honda implement Global Privacy Control (GPC) compliance.

What is GPC?

GPC is a browser-based setting or extension that automatically signals a consumer’s request to opt out of data sales and sharing. Instead of manually opting out on every website, users can enable GPC once, and compliant businesses must recognize it as a valid opt-out request.

Regulatory Findings:

• Honda failed to process GPC opt-out signals as required by Cal. Code Regs. tit. 11, § 7025(c).
• The enforcement order explicitly mandates Honda to apply GPC signals to both known and unknown consumers (Paragraph 77c5).

Legal Takeaway: GPC compliance is not optional in California. Failure to honor GPC signals can result in significant penalties, as demonstrated by previous enforcement actions against Sephora ($1.2M fine in 2022) and now Honda.

5. Missing Contracts with Advertising Vendors

The CCPA requires businesses that share consumer personal information with third-party vendors to have compliant contracts that specify:

• The permitted uses of personal data.
• A prohibition on further data sales or sharing.
• Compliance with CCPA privacy protections.

Regulatory Findings:

• Honda failed to produce contracts with advertising technology vendors, despite sharing consumer data with them.
• This violated Cal. Code Regs. tit. 11, §§ 7051, 7053.

Legal Takeaway: Businesses must ensure all third-party data-sharing agreements comply with CCPA contractual requirements. Regulators are increasingly scrutinizing vendor contracts, making this a critical compliance area.

Key Takeaways for Legal and Compliance Teams

This enforcement action provides a roadmap for CCPA enforcement priorities in 2025 and beyond. Businesses should take immediate steps to:

• Audit consumer opt-out mechanisms to ensure no excessive verification requirements.
• Ensure authorized agent requests are processed without requiring direct consumer confirmation.
• Eliminate dark patterns in cookie consent interfaces.
• Implement full GPC compliance and honor opt-out signals automatically.
• Review vendor contracts to confirm compliance with CCPA data-sharing requirements.

Given the CPPA’s aggressive enforcement stance, legal and privacy professionals must proactively assess their organization’s CCPA compliance posture to avoid regulatory scrutiny and potential penalties.

For those advising businesses on privacy compliance, this case underscores that California regulators will not tolerate friction in consumer privacy rights enforcement. Now is the time to conduct internal audits, update privacy policies, and make all data processing activities align with the latest regulatory expectations.

Ronni K. Gothard Christiansen

CEO & Technical Compliance Expert, AesirX.io

Need a Consent Management Platform?

The Honda enforcement action makes it clear: California regulators will not tolerate deceptive consent practices or non-compliance with Global Privacy Control (GPC). Businesses must use consent management platforms (CMPs) that provide consumers with equal, transparent choices to opt out without unnecessary friction.

• Does your website provide a “Reject All” option that’s as easy as “Accept All”?
• Is your CMP fully compliant with GPC and CCPA opt-out requirements?

If not, it’s time to upgrade to a privacy-first consent management solution.

Discover AesirX CMP and ensure full compliance with CCPA, GPC, and GDPR today.