California’s privacy regulator, the California Privacy Protection Agency (CPPA), is actively demonstrating its commitment to rigorous enforcement of the California Consumer Privacy Act (CCPA). In a recent enforcement action against Honda in March 2025, the CPPA levied a significant fine of $632,500, underscoring the importance of strict adherence to California’s evolving privacy regulations.

The CPPA’s action against Honda provides valuable insights into specific compliance pitfalls companies must avoid:

Excessive Verification Procedures

Honda imposed unnecessary obstacles for consumers attempting to exercise their privacy rights. Specifically, between July and September 2023, Honda required at least 119 consumers to provide excessive personal information for identity verification purposes. Additionally, the company unjustifiably denied at least 20 consumer requests based solely on unnecessary verification hurdles. The CPPA highlighted that verification processes must be proportionate and limited strictly to the information necessary for authentication.

Use of “Dark Patterns”

Honda’s cookie management tool, provided by OneTrust, incorporated “dark patterns”—misleading interface designs intended to influence user choices negatively. Consumers encountered multiple complicated steps to opt-out of cookie tracking, emphasizing that merely deploying a reputable compliance tool does not guarantee compliance. Organizations must carefully configure their cookie management systems to ensure clarity, simplicity, and genuine user choice.

Non-Compliant Vendor Contracts

Honda also failed to include mandatory CCPA terms in contracts with third-party advertising technology vendors that handled consumers’ personal information. This oversight is particularly critical, given the CCPA’s stringent requirements on data-sharing agreements, which differ notably from other U.S. state privacy laws and international regulations. Ensuring vendor contracts explicitly reflect the CCPA’s required provisions is essential for compliance and risk mitigation.

Challenges for Authorized Agents

Honda created unnecessary difficulties for authorized agents attempting to exercise privacy rights on behalf of consumers. At least 14 cases were documented where agents faced additional barriers, complicating the rights-assertion process. Businesses must facilitate clear and straightforward mechanisms that allow authorized representatives to effectively and efficiently advocate on consumers’ behalf.

This enforcement action resulted in not only the notable financial penalty but also mandated Honda to undertake comprehensive remediation steps, including revising contracts to comply with the CCPA within 180 days.

Crucially, this case illustrates that compliance deficiencies, even those seemingly minor or affecting a relatively small number of consumers, can lead to significant regulatory and financial repercussions, especially since the CCPA imposes penalties per violation.

Practical Steps for Companies to Ensure CCPA Compliance

1. Streamline Consumer Rights Requests: Ensure your processes for handling consumer privacy requests are accessible, user-friendly, and compliant, minimizing unnecessary verification steps.
2. Optimize Cookie Consent Interfaces: Avoid “dark patterns” by designing clear, transparent, and straightforward cookie management tools that genuinely allow users to exercise informed choice.
3. Review and Update Vendor Agreements: Contracts with third parties handling consumer data must incorporate all mandatory CCPA-specific clauses and clearly delineate data handling practices.

Companies seeking guidance to navigate CCPA complexities effectively and proactively mitigate risks should consult the Privacy Team at Bortstein Legal Group who understands the nuances and rapidly evolving landscape of data privacy law.

QUESTIONS? 

If you have any questions about the topics discussed, please reach out to your Bortstein Legal Group attorney or Benjamin Ross at bross@blegalgroup.com.