Honda Settles With CPPA Over Privacy Violations
Automaker Will Change Business Practices and Pay $630k+ Fine

News:

SACRAMENTO – The California Privacy Protection Agency (CPPA) Board has issued a decision that requires American Honda Motor Co. to change its business practices and pay a $632,500 fine to resolve claims that the company violated the California Consumer Privacy Act (CCPA). The investigation arose from the Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies.

The CPPA’s Enforcement Division alleged that Honda violated Californians’ privacy rights by:

  • requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
  • using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
  • making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and
  • sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

To resolve the allegations, Honda agreed to implement a new and simpler process for Californians to assert their privacy rights. The company is required to certify its compliance, train its employees, and consult a user experience (UX) designer to evaluate its methods for submitting privacy requests. Honda must also change its contracting process to ensure appropriate mechanisms are in place to protect personal information.

In addition, Honda will pay a $632,500 fine. The CCPA authorizes the Agency to impose an administrative fine of up to $2,500 for each violation ($7,500 for each intentional violation), plus an increase for inflation, in addition to ordering businesses to cease engaging in violative business practices. The order spells out the number of consumers whose rights were implicated by some of Honda’s practices, underscoring that fines apply on a per violation basis.

“The remedy should fit the problem behavior,” said Michael Macko, head of the Agency’s Enforcement Division. “We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations. Today’s resolution reflects Honda’s early cooperation and commitment to make things right,” said Macko.

“The CPPA’s mission is to protect privacy for all Californians. We are dedicated to holding businesses accountable when their practices threaten Californians’ privacy rights,” said Tiffany Garcia, the Agency’s Interim Executive Director. “This agreement underscores our commitment to advocating for improved business practices that truly benefit consumers.”

About Us

The California Privacy Protection Agency is committed to promoting the education and awareness of consumers' privacy rights and businesses' responsibilities under the California Consumer Privacy Act.

Individuals can visit privacy.ca.gov to access helpful and up–to–date information on how to exercise their rights and protect their personal information. In addition, the Agency's website provides important information about CPPA board meetings, announcements, and the rulemaking process.