0

Data Collection Practices and CCPA Compliance: Key Takeaways from Honda’s CPPA Settlement

California, CCPA, Vehicle Data
On March 12, 2025, the California Privacy Protection Agency (CPPA), one of the enforcement agencies for the California Consumer Privacy Act (CCPA), announced a settlement of over $630,000 with American Honda Motor Co. (Honda) for alleged privacy violations. This is the first time the CPPA has fined an automaker since the CPPA announced in July, 2023 that it was reviewing privacy practices related to connected vehicles. The CPPA’s Order defines four key areas of Honda’s alleged non-compliance:
  1. Verifying information for requests to opt out/limit sensitive information.
  2. Verifying information for requests to opt out/limit sensitive information through agents.
  3. Providing lack of symmetry through the website’s cookie management tool.
  4. Engaging in insufficient contracts with advertising technology vendors.
This post will walk through each of these issues in turn, providing key takeaways to consider based on the CPPA’s Order.

1.    Issue: Verifying Information for Requests to Opt Out/Limit Sensitive Information

The CPPA alleges that Honda’s webform, as depicted in the Order, requires individuals to include information for verification purposes when submitting requests to opt out of sale/sharing or limit the use of sharing sensitive information. Overview: Per §7060(b) of the California Consumer Privacy Act Regulations (Regulations), there is no verification requirement to process requests to opt-out of the sale/sharing of personal information or for requests to limit the use of sensitive personal information. The CPPA alleges that Honda’s “Submit A Privacy Request” webform required eight separate data points for a range of data subject access requests (DSARs), including the right to opt out of sale/sharing of personal information and limit use of sensitive information. Covered entities should not require verification before processing the requests. According to the CPPA’s Order, from July 1, 2023 to September 23, 2023, Honda improperly required at least 119 individuals to provide excessive information and denied at least 20 individuals requests based on unlawful verification standards. Takeaway: Under the CCPA, opt out and limit requests are non-verifiable and covered entities should only collect the minimal data points necessary to fulfill the request. You can learn more about responding to DSARs on our blog.

2.    Issue: Verifying Information for Requests to Opt Out/Limit Sensitive Information through Agents

The CPPA alleges that Honda unlawfully required individuals to confirm with Honda directly that they had authorized an agent to submit requests on their behalf to opt out of sales/sharing or to limit use of sensitive information. Overview: While covered entities may request proof of the individuals’ signed permission for an agent to act on their behalf, this is only permitted by verifiable requests – requests to know, delete or correct information, per §7063(a) of the Regulations. The CPPA alleges that Honda’s direct confirmation requirement for request to opt out and limit goes beyond what is permitted in the CCPA and Regulations. The Agency alleges that these unlawful practices impacted at least 14 consumers during the reviewed period from July to September 2023. Takeaway: The CCPA prohibits covered entities from requiring direct confirmation from consumers for non-verifiable requests – even when using an agent to effectuate this request. Again, as opposed to requiring the same verification standards for all DSARs, covered entities should distinguish which types of requests are verifiable. This may vary between jurisdictions, so be sure to check all applicable laws when building your DSAR playbook. You can refer to our U.S. state privacy law post for relevant jurisdictional thresholds within the US, and covered entities should also consider international laws, like the GDPR, which may impose other DSAR or verification requirements.

3.    Issue: Lack of Symmetry on the Website’s Cookie Management Tool

The CPPA alleges that Honda’s cookie management tool (the cookie banner at the bottom of their webpage) required more steps to opt out of sharing than to opt in, violating the symmetrical choice requirements of the CCPA. Overview: According to the Order, individuals using Honda’s cookie banner needed to complete two steps to disable advertising – a “change” step and a “save” step. However, opting in required a single “change & save” step. Per §7004(a)(2) of the Regulations, “[t]he path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or more time-consuming than the path to exercise a less privacy-protective option,” because an imbalance in options “would impair or interfere with the consumer’s ability to make a choice.” According to the examples in the Regulations, “[a]n equal or symmetrical choice [in a website banner] could be between ‘Accept All’ and ‘Decline All.’” Takeaway: Entities covered by the CCPA should ensure that the process to submit opt out requests – including those through cookie management tools – is no more difficult than the process to opt in. According to the Regulations, this standard also applies when the individual uses the “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link. The number of steps for submitting a request to opt out is measured from when the consumer first clicks the link to the completion of the request. Similarly, the number of steps to opt in is measured from the first indication the consumer makes of their interest to opt in to the completion of the request.

4.    Issue: Insufficient Contracts with Advertising Technology Vendors

The CPPA alleges that Honda failed to produce contracts (such as data protection agreements, or DPAs) that required technology vendors to sufficiently protect consumer information. Overview: Under the CCPA §1798.100(d), when a covered entity collects  a consumer’s personal information and discloses it to a service provider or contractor, the covered entity should enter into an agreement with that party, requiring them to protect the consumer’s personal information. According to the Order, Honda lacked proper contractual agreements, despite collecting and disclosing individuals’ information with third-party vendors. These vendors included businesses that conducted targeted advertising, which may constitute “selling” or “sharing” personal information under the CCPA. Without agreements with these third-party vendors in place, the CPPA alleges that individuals’ information may be improperly used or shared without sufficient privacy protections. Takeaway: The CCPA requires covered entities to maintain agreements, such as a DPA, that specify data use limitations, require CCPA compliance, and ensure a certain standard of privacy protection. If a covered entity is disclosing personal information to third-party vendors, it should ensure that these contracts are in place and meet the law’s requirements.

Conclusion

The Order against Honda serves as a cautionary example for covered entities managing individuals’ information under the CCPA. In addition to the fine, the Order requires Honda to “certify its compliance, train its employees, and consult a user experience (UX) designer to evaluate its methods for submitting privacy requests. Honda must also change its contracting process to ensure appropriate mechanisms are in place to protect personal information.” Additionally, the CPPA’s head of the Enforcement Division stated that “[the Agency] won’t hesitate to use our cease-and-desist authority to change business practices,” indicating that the Agency is serious about its enforcement authority. By taking proactive steps, covered entities can better protect against regulatory enforcement actions while working to safeguard individuals’ privacy.
0
Image depicting the flag of Texas, which is blue, white, and red, with a lone white star.

Texas sues Allstate, continuing Lone Star’s focus on vehicle data regulation

Data / Web Scraping, Data Brokers, United States, Vehicle Data , ,
Update: On Jan. 29, 2025, it was reported that on Jan. 12, 2025, Texas sent Kia America, Inc., a notice of their alleged violations of the Texas Data Privacy and Security Act. Kia has 30 days to cure the alleged violations. Everything is bigger in Texas, including data privacy enforcement. On January 13, 2025, Texas continued its recent regulatory focus on vehicular and geolocation data by initiating a lawsuit against Allstate and its subsidiary, Arity, alleging the companies violated numerous consumer protection and data privacy laws by unlawfully collecting, using, and selling personal, vehicular, and location data without consumers’ knowledge or consent. What led to this lawsuit? For more than half a year, Texas has been leading the regulatory enforcement of vehicular and geolocation data practices. On June 6, 2024, Texas Attorney General Ken Paxton announced that his office had opened an investigation into various car manufacturers “after widespread reporting” that those manufacturers had been secretly collecting mass amounts of data about drivers and selling that data to third parties. The “widespread reporting” cited by Paxton as the seed for the investigation was most likely a nod toward the Mozilla Foundation’s “Privacy Not Included” report published in September of 2023. The report expressly declared that modern vehicles are a “privacy nightmare” and that all 25 car brands researched for the report were labeled as having the worst privacy ever reviewed by the Foundation. The investigation initiated by Paxton in June of 2024 eventually led to a lawsuit against General Motors, filed on August 13, 2024, alleging the company engaged in false, deceptive, and misleading business practices related to its unlawful collection and sale of driving data to insurance companies without the consumers’ knowledge or consent. Following this suit, Paxton’s office sent a notice in November of 2024 to Arity, LLC, a data analytics company founded in 2016 by Allstate, alleging that Arity was in violation of Texas’s recently enacted state privacy law, the Texas Data Privacy and Security Act (the “TDPSA”). The notice identified specific provisions of the TDPSA that Arity was allegedly violating and requested that Arity cure the violations within 30 days, in accordance with the TDPSA’s cure period. But according to Texas’s petition against Allstate and Arity filed on January 13, 2025, Arity failed to cure the alleged TDPSA violations within the 30-day cure period, thereby allowing Texas to include these alleged violations in the lawsuit. What did Allstate and Arity allegedly do? According to Texas’s petition, defendants Allstate and Arity developed and integrated software into third-party apps so that when consumers downloaded the third-party app, they also “unwittingly” downloaded the defendants’ software. The defendants presented the software as “providing a necessary function,” but Texas claims the software does little more than scrape data from the third-party app. Once downloaded, the defendants’ software, through the third-party apps, monitored the consumer’s location and movement “in real-time” and collected trillions of miles of consumer driving data, including geolocation data, accelerometer data, gyroscopic data, and more. The defendants then sold that data to third parties or used it for Allstate’s insurance underwriting. To encourage third parties to integrate the defendants’ software, the defendants paid app developers and offered an incentive program that provided “generous bonus incentives” if developers increased the size of their dataset. All the while, according to Texas, consumers did not consent to, nor were they made aware of, the full extent of defendants’ collection and sale of data. Instead, defendants entered into agreements with the third-party app developers to mandate, to some degree, that certain privacy disclosures and consent language were presented by the third-party apps to consumers, but those third-party disclosures and consent, according to Texas, never mentioned the existence of the defendants, “let alone any of Defendants’ data collection or sales.” Nor did the defendants provide consumers with any of their own notices regarding their data collection practices, and even if consumers did happen to take the extra step to investigate defendants’ policies, those policies contained “untrue and contradictory statements that do not reflect Defendants’ practices.” For example, the policies expressly stated that the defendants do not sell personal data for monetary value, which Texas alleges is untrue, and the policies do not provide consumers with the ability to request that defendants stop selling their data. Taken together, Texas claims these alleged facts establish the basis for numerous legal violations, including violations of the TDPSA, the Texas Data Broker Law, and the Texas Insurance Code. Key takeaways?
  1. Texas is – and will likely remain – focused on regulating vehicular data practices. As the saying goes, once is a coincidence, twice is a pattern, and thrice is a regulatory enforcement focus. Within the short span of half a year, Texas opened an investigation, submitted a notice to cure under the TDPSA, and initiated two lawsuits, all targeting vehicular data practices. Given the rapidity in which Texas is bringing these actions, Texas will likely continue making this an enforcement priority for the near future.
  2. Relying on third-parties to provide notices and collect consent on your behalf may not be enough. The facts allege that the defendants had entered into agreements that, to some degree, obligated the third-party apps to provide notices and collect consumer consent for the collection and sharing of data with the defendants. Yet, according to Texas’s petition, these third-party disclosures and consent collection mechanisms failed to sufficiently inform consumers about the defendants’ data practices.
  3. SDKs remain an area of risk. In recent years, there has been a string of federal and state enforcement action over the use of software development kits (SDKs) to collect and share data. The Federal Trade Commission entered a settlement agreement with InMarket and others; California entered a stipulated judgment of $500,000 with Tilting Point Media; and now a core fact of Texas’s petition is that the defendants developed and integrated SDKs into third-party apps to scrape data.
  4. Carefully consider whether data is being “sold.” Under the TDPSA, a “sale” occurs when personal data is shared, disclosed, or transferred for monetary or other valuable consideration, and Texas alleges that Allstate and Arity “sold” personal data when they sold “data-based products and services for monetary value that linked a specific [consumer] to their alleged driving behavior.” Often, the language of “selling” something conjures to mind ideas of direct financial transactions – exchanging personal data expressly for money or other benefits – but regulators, including those in Texas and California, interpret “selling” personal data more broadly. Thus, companies should carefully review whether their data disclosure and access practices may constitute “selling” personal data, and if so, whether they satisfy the relevant obligations when data is being “sold.”