ARTICLE
16 April 2025

CPPA Announces Enforcement Action Against Automaker

KG
K&L Gates LLP

Contributor

At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
On 12 March 2025, the California Privacy Protection Agency (CPPA) settled with an automaker that allegedly violated various aspects of the California Consumer Privacy Act (CCPA).
United States California Privacy

On 12 March 2025, the California Privacy Protection Agency (CPPA) settled with an automaker that allegedly violated various aspects of the California Consumer Privacy Act (CCPA). This first-of-its-kind settlement for the agency echoes a 2022 enforcement action brought by California Attorney General Rob Bonta against an online retailer, while introducing new guidance for businesses subject to the CCPA. In this article, we will focus on the agency's allegations regarding cookie management service providers and take-aways for businesses subject to the CCPA or similar state privacy statutes.

The CPPA alleged the automaker:

  1. Required California consumers to provide more personal information than what is necessary to exercise a consumer's right to opt-out of the sale/sharing their personal information and to limit the use of sensitive information;
  2. Made it difficult for California consumers' authorized agents to exercise their privacy rights;
  3. Used an online privacy management tool that failed to offer California consumers a symmetrical way to exercise their privacy choices; and
  4. Shared consumer data with ad tech companies without proper contractual safeguards.

Cookie Managers & Consent Tools

CCPA regulations require businesses to implement methods for submitting CCPA requests that are easy to understand and provide "symmetry" in choice. This means that the choices provided to a consumer with respect to opting-in to the collection or usage of personal information should be mirrored in the choices regarding their right to opt-out of those same choices. The latter may not be "longer or more difficult or time-consuming than the path to exercise a less privacy-protective option" Cal. Code Regs. tit. 11, § 7004 (2).

In the Final Stipulated Order, the CPPA noted that the automaker used OneTrust, a third-party compliance vendor, to provide website visitors with a cookie management tool. The tool allowed consumers to toggle whether they wanted to allow or disallow advertising cookies. The CPPA alleged that consumers had to follow two steps to disallow advertising cookies (first, they had to click a toggle button and second, they had to confirm their choices)—but they only needed to click one button to "Allow All" cookies, as shown below.

1612246a.jpg

Image Source: American Honda Motor Co., Inc. – Case No. ENF23-V-HO-2 (2025)

The CPPA's interpretation of symmetry in choice is quite rigid and the agency has ordered the automaker to provide consumers with a "Reject All" button that mirrors the "Allow All" button pictured above. The CPPA's settlement underscores the agency's proactive approach to enforcing the CCPA.

Key Takeaways

The CPPA's strict interpretation of symmetry in choice means businesses subject to the CCPA should immediately review their cookie management solutions and review how they present the choices provided to their customers. Although the test here is simple (one-click opt-in must be accompanied by a one-click opt-out button), businesses using third-party tools should confirm with their selected service providers that the choice presented to consumers can comply with the CCPA's symmetry in choice requirement. Similarly, businesses that have developed their own in-house solutions should consult with their teams to update their tools accordingly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More