On March 12, 2025, the California Privacy Protection Agency (Agency) announced a stipulated final order settling an enforcement action against a multinational automobile maker. This marks the first settlement of an enforcement action by the Agency against a non-data broker. The action focused on the automobile maker’s alleged violations of the California Consumer Privacy Act (CCPA) procedures for processing and responding to consumer data requests.
In detail
According to the order, the deficiencies in the respondent’s privacy rights management system were fourfold.
First, the Agency found that the company imposed an excessive verification standard for consumers to exercise their privacy rights under the CCPA, specifically the rights to opt-out of the sale or sharing of personal information and to limit the processing of sensitive personal information. Although verification is mandated by the CCPA in respect to other types of consumer requests (e.g., deletion, correction, access), the CCPA restricts businesses from requiring verification for opt-out requests (Cal. Code Regs § 7060(a)-(b)). Additionally, when verification is required, businesses may only ask consumers for information necessary to complete the request without making the process “burdensome” (§ 7060(b)). A business must generally avoid requesting additional information from the consumer for purposes of verification (§ 7060(d)).
Second, the Agency alleged the respondent made it onerous for individuals to appoint agents to exercise rights on their behalf. Specifically, the auto maker required consumers to directly confirm whether they had appointed an agent to invoke consumers’ requests to opt-out of the sale or sharing of personal information and to limit the processing of their sensitive personal information. Although businesses may ask agents for a signed authorization, they are not permitted from confirming an agent’s authorization directly with the consumer for requests to limit the use of sensitive personal information or opt-out of sales and sharing (§ 7063(a)).
Third, the respondent allegedly offered an asymmetrical cookie management interface. The Agency specifically claimed that the auto maker’s cookie management tool designated all types of cookies as allowed by default and required users to perform two steps to disable cookies: by deselecting the toggle button for each cookie type, then clicking the “Confirm My Choices” button. However, if a user wished to allow cookies, they could do so in only a single step: by clicking the “Allow All” button, which requires no further confirmation. The Agency alleged this mechanism violates § 7004 of the CCPA regulations, which requires that the “path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option[.]” Notably, the auto maker used an established compliance platform to implement its cookie management tools.
Finally, the Agency found shortcomings in how the auto maker engaged third-party advertising technology partners. The CCPA requires business that share personal information with service providers, contractors, and other third parties to enter written contracts with those parties that include certain mandatory restrictions on the service provider’s processing of personal information and rights for the business to take steps to protect the personal information (Civ. Code § 1798.100(d); Cal. Code Regs §§ 7051, 7053). The Agency found that, although the auto maker shared personal information of consumers with advertising technology service providers, it was unable to furnish contracts with these third parties.
The stipulated order requires the auto maker to pay an administrative fine of $632,500, as well as taking various measures to address the alleged infringements. The monetary penalty far exceeds the amounts imposed by the Agency on data brokers in recent settlements.
Takeaways
The Agency’s inaugural enforcement action against a non-data broker illustrates the agency’s enforcement priorities and interpretation of certain requirements under CCPA and its implementing regulations. The order makes it clear that the Agency is looking at businesses, people, processes, and technology for compliance obligations and enforcement actions. Businesses should work with counsel to ensure that their processes for receiving, reviewing and fulfilling consumer privacy requests are designed to comply with laws like the CCPA. Additionally, while partnering with a cookie management platform can streamline compliance, it remains critical that cookie management tools are reviewed and configured in light of applicable statutes and regulations. Managing relationships and contracts with service providers who receive and process data is also key, and agreements should be vetted to ensure that they include privacy and data protection provisions as required by state consumer privacy laws.
