California Privacy Protection Agency Fines Honda For Demanding Verification Information From Consumers Opting Out Of Data Sale Or Sharing

In an increasingly digital world, consumer privacy has become a paramount concern, leading to the establishment of laws like the California Consumer Privacy Act (CCPA). Recently, the California Privacy Protection Agency (CPPA) resolved an enforcement action against American Honda Motor Co., Inc. (Honda) highlighting the importance of honoring consumer requests to exercise privacy rights.

Case Summary

The CPPA's Stipulated Final Order (Order) against Honda stems from an investigation into the company's compliance with the CCPA. Enacted in 2018, the CCPA was designed to enhance consumer rights regarding personal information, allowing Californians to understand how their data is collected, used, and shared. In this case, the agency identified multiple violations by Honda, particularly in how the company handled consumer requests related to their personal data, how the company allows consumers to select cookie preferences, and what requirements it had for contracts with third parties receiving consumer personal data.

The investigation revealed that Honda utilized a single form for consumers to exercise their privacy rights, which unlawfully required consumers to provide verification information when submitting requests to limit or opt-out of the sale or sharing of their personal data. Additionally, Honda demanded more than two pieces of verification information, violating CCPA requirements and creating an undue burden on consumers attempting to exercise their privacy rights. This complicated process not only inconvenienced consumers but also resulted in the denial of legitimate consumer requests to exercise their data rights.

As a consequence of these violations, Honda is required to pay a fine of $632,500. The Order requires Honda to revamp its data request processes to ensure compliance with CCPA regulations. Key changes include simplifying the verification information required from consumers and creating separate methods for submitting different types of requests.

Furthermore, Honda is required to implement the following:

• provide training for all personnel handling CCPA requests, ensuring they understand the privacy law's requirements and can assist consumers effectively;
• change its website user experience (UX) to ensure it is easy for consumers to opt out of the sale or sharing of data or limit how their personal information is users;
• submit its proposed website changes to an independent UX design employee to ensure it meets these requirements, which is a new obligation that has not been imposed on businesses and other enforcement proceedings;
• ensure that its contracts with third parties include the requirements to honor consumer, personal data request when notified by Honda; and
• ensure that consumers can easily access cookie management preferences from the privacy policy, the website footer and its Privacy Center.

Key Takeaways for Businesses

Businesses are reminded to review the applicable legal requirements for requests to exercise privacy rights, also called data access subject requests (DSARs). The following requirements apply under the CCPA:

• Consumers should be able to opt out of the sale or sharing of data through a link prominently displayed on the business's main webpage, labeled "Do Not Sell or Share My Personal Information."
• The process to opt out should match the process to opt in. For example, if it takes a consumer one click to opt in, it should be one click for the consumer to opt out.
• While companies can request verification of a consumer's identity when exercising other consumer data rights, they must limit their requests to only two pieces of information and ensure the process is not burdensome.
• It is crucial for companies to acknowledge receipt of consumer requests within 10 days and respond within 45 days of a DSAR's receipt.
• Businesses should also evaluate the information they collect from authorized parties and collect contact information from both the consumer and the authorized party.
• Businesses should ensure their contracts include specific requirements to delete personal information when a business receives a request from its consumer and notifies that third party.
• In addition, businesses should evaluate cookie practices and ensure that consumers can easily opt out of targeted advertising and otherwise express their preferences. Cookie banners and related disclosures should be prominently featured in a privacy notice, and in all footers on a business website.
• Finally, businesses should ensure they are implementing the Global Privacy Control standard into their website to accept opt out request for the share or sale of personal data when a customer visits the site.

As the regulatory landscape continues to shift, organizations should maintain robust compliance programs, stay informed about legal developments, and be prepared to adjust their practices to mitigate related privacy risks.

Originally published by M&D, The CommLaw Group.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.