Listen to this post

Keypoint: The California Privacy Protection Agency settled its first non-data broker enforcement action with a $632,500 fine and other remedial measures.

On March 12, 2025, the California Privacy Protection Agency (Agency) announced its first non-data broker enforcement action requiring a vehicle manufacturer to pay an administrative fine of $632,500 in connection with the Agency’s review of connected vehicle manufacturers and related technologies’ privacy practices. The manufacturer also agreed to implement certain remedial actions.

In the below post, we provide an overview of the alleged violations and the penalties.

CCPA Alleged Violations

The Agency alleges four violations of the California Consumer Privacy Act (CCPA):

  1. The vehicle manufacturer unlawfully requires consumers to provide more information than necessary to exercise their CCPA rights.

By way of background, the CCPA distinguishes between requests to (1) know, delete, and correct and (2) opt-out of sale/sharing and limit the use and disclosure of sensitive personal information. Businesses can verify a consumer’s identity for the first set of requests but not for the second set of requests. 

According to the Stipulated Final Order, the vehicle manufacturer provides consumers with a toll-free telephone number and webform to submit CCPA requests. The webform uses the same process for receiving both sets of requests. Specifically, it requires consumers to provide their first name, last name, address, city, state, zip code, email, and phone number when submitting all CCPA requests. According to the Agency, this resulted in the manufacturer “essentially apply[ing] a verification standard” to the requests to opt out and limit use in violation of the CCPA. 

In addition, the Stipulated Final Order states that the webform makes consumers submit too much information. According to the Agency, the manufacturer “needs only two data points from the Consumer to identify the Consumer within its database.” However, as noted, the manufacturer’s webform requires consumers to complete eight data fields.

  1. The vehicle manufacturer unlawfully requires consumers to directly confirm with the vehicle manufacturer that they had given permission to an authorized agent to submit a request to opt-out of sale/sharing and request to limit.

The CCPA gives consumers the right to authorize another person to submit a request to opt-out of sale/sharing and limit the use and disclosure of sensitive personal information (i.e., an authorized agent). The CCPA’s prohibition on verifying these requests applies equally to authorized agent requests.

Businesses may ask the consumer’s authorized agent to provide the consumer’s signed permission demonstrating that they have been authorized to act on the consumer’s behalf. However, businesses may not require a consumer to directly confirm that they have provided the authorized agent permission to submit the request. Businesses may contact consumers directly in that manner only for requests to know, access, and correct.

Nonetheless, the Agency alleges that the vehicle manufacturer’s process for authorized agents requests does not distinguish between these requests and “unlawfully requires Consumers to directly confirm with [the manufacturer] that they had given permission to the Authorized Agent to submit a Request to Opt-Out of Sale/Sharing and Request to Limit.”

  1. The vehicle manufacturer’s cookie management tool fails to provide symmetrical choice when a consumer submits requests to opt-out of sale/sharing and consents to the use of their personal information for the purposes stated in the cookie management tool.

The vehicle manufacturer provides consumers the ability to opt-out of sale/sharing through a cookie management tool. The Stipulated Final Order outlines that the tool automatically allows the use of cookies by default. To turn off advertising cookies, the user must click on a toggle button next to “Advertising Cookies” and then click on the “Confirm my Choices” button. To opt back into advertising cookies, the consumer only needs to press one button, “Allow All,” and the pop up disappears.

The Agency alleges that by providing one step to opt-in but two steps to opt-out, the manufacturer did not provide equal or symmetrical choices in violation of the CCPA. The Agency states that an “equal or symmetrical choice . . . could be” providing consumers with “Accept All” and “Decline All” options.

  1. The vehicle manufacturer could not produce contracts with the advertising companies to which it sold, shared, or disclosed consumers’ personal information.

The Stipulated Final Order provides that the vehicle manufacturer sells, shares, or discloses personal information to third-party cookie providers who then use the personal information for advertising and marketing purposes across different websites. Under the CCPA, a business is required to execute an agreement with third parties that meets certain requirements and provides the necessary level of privacy protection to consumers. During the Agency’s investigation, the vehicle manufacturer allegedly could not produce the required agreements with the third parties to whom it sold, shared, or disclosed consumer personal information.

Remedial Measures

As noted, the vehicle manufacturer must pay an administrative fine of $632,500. This includes a $382,500 fine for 153 alleged violations with respect to consumer requests.

In addition to the administrative fine, the vehicle manufacturer must take the following remedial actions:

  • Separate the methods for submitting requests to opt-out of sale/sharing and limit the use and disclosure of sensitive personal information from the methods for submitting verifiable consumer requests.
  • Not require consumers to directly confirm with the vehicle manufacturer that they have given their authorized agent permission to submit a request to opt-out of sale/sharing or limit the use and disclosure of sensitive personal information on their behalf.
  • Change the process for authorized agents submitting CCPA requests so that the authorized agents provide their contact information in addition to the consumer’s contact information.
  • Change its cookie preference tool to include a “Reject All” button, providing symmetry in choice with the “Accept All” button.
  • Consult with a user experience designer to evaluate and make recommendations on its methods for submitting CCPA requests and implement changes based upon such recommendations.
  • Confirm in writing to the Enforcement Division within 180 days of the stipulated order that all required contractual terms are in place with all external recipients of personal information.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Stauss David Stauss

David routinely counsels clients on complying with privacy laws such as the EU’s General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. David is certified by the International Association of Privacy Professionals as…

David routinely counsels clients on complying with privacy laws such as the EU’s General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US and EU), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Read more about David StaussDavid's Linkedin Profile
Show more Show less
Photo of Shelby Dolen Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data…

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.

Read more about Shelby DolenShelby's Linkedin Profile
Show more Show less
Photo of Marlaina Pinto Marlaina Pinto

Marlaina focuses on intellectual property and data privacy work.

With a prior career working with online data assets for a marketing technology and consulting company, Marlaina was drawn to the fast-paced changes in data privacy and AI regulations. During law school, she served

Marlaina focuses on intellectual property and data privacy work.

With a prior career working with online data assets for a marketing technology and consulting company, Marlaina was drawn to the fast-paced changes in data privacy and AI regulations. During law school, she served as editor-in-chief of the Colorado Technology Law Journal, where she worked with articles on emerging tech law and policy issues. She also served as both a law clerk and summer associate at Husch Blackwell, gaining practical experience in drafting privacy policies and tracking state privacy and AI bills. Her work at the firm further honed her skills in creating compliance strategies that address various privacy laws across different jurisdictions.

Read more about Marlaina Pinto
Show more Show less
Related Posts
 California Privacy and AI Legislation Update: October 7, 2024
October 5, 2024
 California Privacy and AI Legislation Update: September 2, 2024
September 1, 2024
 California Privacy and AI Legislation Update: August 26, 2024
August 25, 2024