The California Privacy Protection Agency ("CPPA") recently issued a decision requiring American Honda Motor Co. to pay a $632,500 fine and change certain business practices related to alleged violations under the California Consumer Privacy Act ("CCPA"). While not specifically related to connected vehicles, this decision comes after the CPPA's announcement in 2023 that it would be focusing on connected vehicle manufacturers' compliance with the CCPA.
The decision alleged the following violations of California resident's privacy rights:
- Excessive Personal Information. "Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit."
- Lack of Symmetrical Choices. "Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way."
- Difficult to Appoint Authorized Agents. "Making it difficult for Californians to authorize other individuals or organizations (known as "authorized agents") to exercise their privacy rights."
- Lack of Contracts. "Sharing consumers' personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy."
Excessive Personal Information. Under the CCPA, certain consumer rights require businesses to verify the individuals making the requests (the right to delete, correct, and know) while others do not (the right to opt-out of sale/sharing and limit sensitive personal information). This CPPA decision alleges that the company required matching more than two data points (sometimes requiring up to eight data points) provided by the consumers with data in its own database prior to exercising the request to opt-out of the sale/sharing and limiting sensitive personal information. The CPPA found that this was more than necessary to simply exercise the rights to opt-out of sale/sharing and limit sensitive personal information.
Therefore, business should review how they process consumer rights requests in California and ensure that they are only requiring verification for the consumer rights that require verification (the right to delete, correct, and know). The business should only ask for information that is necessary to complete the request to opt-out of the sale/sharing or limit sensitive personal information, such as enough information to identify the individual in its system so that the request can be completed.
Lack of Symmetrical Choices. Under the CCPA regulations, if a business offers a privacy-protective choice or option (such as a cookie banner), that option must be symmetrical. Specifically, "the path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer's ability to make a choice."
The CPPA decision alleges that the company's cookie preference banner had an "Allow All" option, a "Confirm My Choices" option, and then an option to turn off specific types of cookies. The CPPA found that this was not symmetrical. In order to be symmetrical, the banner required a "Reject All" option as well.
Therefore, the general idea is that the banner or mechanism that provides a consumer the option to make a privacy protective choice must allow the consumer to accept and deny the option in the same number of clicks.
Difficult to Appoint Authorized Agents. The CCPA allows consumers to appoint natural persons or entities to act as their authorized agent in submitting consumer requests to businesses. Per the above "Excessive Personal Information" discussion, the CCPA's prohibition on requiring verification for requests to opt-out of sale/sharing and requests to limit sensitive personal information also applies to requests submitted by the consumers' agents. Businesses may ask the agents to provide a signed permission demonstrating that the agents have been authorized by the consumer.
Here, the company required consumers' agents to go through the same verification process as discussed above in the "Excessive Personal Information" discussion. Businesses should ensure that its processes for exercising authorized agent requests complies with the verification requirements for the rights to delete, correct, and know, but also not require direct verification from the consumer for the rights to opt-out of sale/sharing and requests to limit sensitive personal information.
Lack of Contracts. The CCPA requires businesses that disclose personal information to third parties to have proper contracts in place. These contractual requirements depend on the type of third party, such as with a service provider, contractor, or other third party (as those terms are defined under the CCPA).
The CPPA found that the company did not have CCPA compliant contracts in place with its third-party providers. Businesses should review their service provider, contractor, and third-party contracts and ensure they contain the required language under the CCPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
