Peter A Clarke

The California Consumer Privacy Act 2018 (“CCPA”) has the most comprehensive privacy protections of all state based privacy legislation in the USA. It took effect on 1 January 2020. Recently the Agency brought action against Honda for breaches of the CCPA. That has resulted in a settlement and a fine of $232,500.

The CCPA grants California consumers the right to:

• know that personal information is collected, used, shared or sold;
• delete personal information held by businesses
• opt out of sale of personal information
• non discrimination in terms of price of service.

Under the CCPA businesses must, inter alia:

• provide notice to consumers before data collection;
• create procedures to respond to requests from consumers to opt out, know and delete
• respond to requests to from consumers to know, delete and opt out
• disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information

According to the final order the breaches related to:

• Excessive Personal Information. “Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit.”
• Lack of Symmetrical Choices. “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way.”
• Difficult to Appoint Authorized Agents. “Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights.”
• Lack of Contracts. “Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

Excessive Personal Information. Honda required matching more than two data points (sometimes requiring up to eight data points) provided by the consumers with data in its own database prior to exercising the request to opt-out of the sale/sharing and limiting sensitive personal information. The CPPA found that this was more than necessary to simply exercise the rights to opt-out of sale/sharing and limit sensitive personal information.

The business should only have asked for information that is necessary to complete the request to opt-out of the sale/sharing or limit sensitive personal information so that the request can be completed.

Lack of Symmetrical Choices. If a business offers a privacy-protective choice or option (such as a cookie banner), that option must be symmetrical. The path for a consumer to exercise a more privacy-protective option should not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option. Honda’s cookie preference banner had an “Allow All” option, a “Confirm My Choices” option, and then an option to turn off specific types of cookies. This was not symmetrical. In order to be symmetrical, the banner required a “Reject All” option as well.

Lack of Contracts. The CCPA requires businesses that disclose personal information to third parties to have proper contracts in place. Honda did not have CCPA compliant contracts in place with its third-party providers.

The Agency’s media release provides:

SACRAMENTO – The California Privacy Protection Agency (CPPA) Board has issued a decision that requires American Honda Motor Co. to change its business practices and pay a $632,500 fine to resolve claims that the company violated the California Consumer Privacy Act (CCPA). The investigation arose from the Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies.

The CPPA’s Enforcement Division alleged that Honda violated Californians’ privacy rights by:

• • requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
  • using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
  • making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and
  • sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

To resolve the allegations, Honda agreed to implement a new and simpler process for Californians to assert their privacy rights. The company is required to certify its compliance, train its employees, and consult a user experience (UX) designer to evaluate its methods for submitting privacy requests. Honda must also change its contracting process to ensure appropriate mechanisms are in place to protect personal information.

In addition, Honda will pay a $632,500 fine. The CCPA authorizes the Agency to impose an administrative fine of up to $2,500 for each violation ($7,500 for each intentional violation), plus an increase for inflation, in addition to ordering businesses to cease engaging in violative business practices. The order spells out the number of consumers whose rights were implicated by some of Honda’s practices, underscoring that fines apply on a per violation basis.

“The remedy should fit the problem behavior,” said Michael Macko, head of the Agency’s Enforcement Division. “We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations. Today’s resolution reflects Honda’s early cooperation and commitment to make things right,” said Macko.

“The CPPA’s mission is to protect privacy for all Californians. We are dedicated to holding businesses accountable when their practices threaten Californians’ privacy rights,” said Tiffany Garcia, the Agency’s Interim Executive Director. “This agreement underscores our commitment to advocating for improved business practices that truly benefit consumers.”