Honda to review privacy practices after $632k CCPA fine

It’s no secret that the costs for non-compliance can be staggering. Lacking privacy practices can come with costly consequences, and for Honda, a $632,000 fine is enough to drive the point home. But what exactly went wrong for Honda, and could their privacy missteps have been avoided? 

The California Privacy Protection Agency (CPPA) has recently issued a decision that orders the automotive giant Honda Motor Co. to review its privacy practices due to alleged violations of the California Consumer Privacy Act (CCPA), and pay a $632,000 fine. The decision was the product of an investigation by the CPPA’s Enforcement Division, who claimed that Honda had violated Californian’s privacy rights in more ways than one. 

How did Honda violate the CCPA? 

California became the first US state to enact a comprehensive consumer law in 2018 with the California Consumer Privacy Act. Granting California residents with a corpus of privacy rights, the CCPA is a cornerstone of US privacy legislation and imposes significant consequences for non-compliance. 

In Honda’s case, the allegations of CCPA violations stem from several questionable privacy practices, including: 

• Requiring Californians to verify themselves and provide excessive personal information, such as first name, last name, address, and phone number, to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit. 
• Using a cookie banner that failed to offer Californians their privacy choices in a symmetrical or equal way. Users had to complete two steps to opt out of advertising cookies, but only one step to opt back in. 
• Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights. 
• Sharing consumers’ personal information with AdTech companies without producing contracts that contain the necessary terms to protect privacy, potentially putting consumers’ personal information at risk. 

Honda’s apparent privacy lapses highlight the importance for enterprises to ensure that all data collection practices comply with regulations and provide consumers with the opportunity to exercise their privacy rights.  

But is a hefty fine and a mandate to revise their practices enough to ensure Honda stays compliant? 

Another red light on the road to consumer privacy

This isn’t the first time Honda has been accused of having misaligned privacy practices.  

In 2023, Honda was one of four major automotive giants accused of violating Washington’s state privacy laws for unlawfully recording customers’ private text messages and call logs via on-board infotainment systems. 

Although the case was later dismissed, it reiterates the ongoing challenges automotive manufacturers face in balancing technological advancements with stringent privacy regulations. 

As vehicles become increasingly connected, automotive organizations must prioritize compliance to protect consumer data. And as a result of Honda’s latest privacy violation, the automaker will need to brush up its privacy practices in order to ensure that consumer trust isn’t completely written off. 

How automakers can steer clear of CCPA violations

As one of the most stringent US state privacy laws, the CCPA is a non-negotiable for organizations handling consumer data from Californian residents. CCPA compliance done right can be highly rewarding for businesses, and, as we’ve seen with Honda, failure to comply can be detrimental. 

So, what can automakers do to ensure CCPA requirements are met? 

Understand the requirements, and their impact on your data collection practices

The CCPA outlines several significant requirements for businesses. Ensuring compliance and protecting consumer data starts with understanding these requirements and their impact on your data collection practices. 

As a starting point, review all cookies and data points across your website to identify what type of information is collected and for which purposes. This will help you apply the CCPA’s provisions to your data collection practices and draft appropriate notices to inform your consumers about how their data is used. 

Familiarizing yourself with the CCPA and its requirements is crucial for getting compliance right. The more knowledge of the privacy law you apply to your privacy practices, the better equipped you’ll be to protect consumer data and build trust. 

Put consumers in control of their data

Under the CCPA, consumers have the right to know what personal information is being collected about them, the right to request the deletion of their data, and the right to opt out of the sale of their data. 

At a minimum, obtaining clear, affirmative consent from consumers before collecting data is a must in order to achieve CCPA compliance. As we’ve witnessed with Honda, by not allowing an easy opt-out process for consumers, the consequences can far outweigh any short-term benefits gained from non-compliance. 

Implementing a consent management solution can not only streamline the consent collection process, but can ensure compliance with global privacy regulations, CCPA included. By giving consumers the autonomy to control their own data and decide how it is used, brands can ensure compliance while also benefiting from increased trust and consumer loyalty.