California’s Top Privacy Cop Issues First Enforcement Decision
The California Privacy Protection Agency (CPPA) has issued its first Order of Decision to American Honda Motor Co. in an enforcement action under the California Consumer Privacy Act (CPPA). Although the investigation arose from the CPPA’s ongoing review of data privacy practices by connected car manufacturers and other related technologies, there are some important takeaways for every business covered by the CCPA.
In the order, the CPPA alleged that Honda violated the CCPA’s privacy rights provisions by:
- requiring California consumers to provide excessive personal information to exercise their rights, including the opt-out of sale/sharing right (in violation of the requirement in Sections 7026(d), 7027(e), and 7060(b) of the CCPA Regulations);
- using an online privacy rights management platform that did not offer consumers a “symmetry of choice” in exercising their privacy choices (in violation of the requirement in Section 7004(a)(2) of the CCPA Regulations);
- not providing a user-friendly method for authorized agents to submit privacy rights requests on consumers’ behalf; and
- failing to provide to the CPPA copies of its contracts with advertising technology providers as required under the CCPA.
First, the Fine
The CPPA imposed a $632,500 fine on Honda, calculated under the CCPA based on the number of consumers whose rights were alleged by the CPPA to have been implicated by some of Honda’s practices. The order underscores that fines apply on a per violation basis. This fine obviously represents a very small number (153 as described in the order) of the consumers that could have been implicated, but according to Michael Macko, head of the CCPA’s Enforcement Division: “We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations. [The] resolution reflects Honda’s early cooperation and commitment to make things right.”
An important point regarding this order: although the investigation arose out of a sweep of connected car manufacturers, there is nothing about the CPPA’s order that directly relates to the auto industry or connected car technologies. This order provides a look into what we might expect from future CPPA enforcement actions and has three immediately actionable takeaways for all businesses subject to the CCPA.
Review your Rights Management Platform
The order took issue with a widely-used rights management platform as implemented by Honda, alleging that Honda’s platform was requiring more information than necessary from consumers when exercising their CCPA rights to opt-out of sale/sharing or limiting the use and disclosure of their personal information in violation of the CCPA. “Requiring verification for the processing of a Request to Opt-Out of Sale/Sharing or Request to Limit impairs or interferes with the Consumer’s ability to exercise those rights. The CCPA prohibits businesses from designing methods for submitting CCPA Requests that substantially subverts or impairs the Consumer’s autonomy, decisionmaking, or choice. Id. § 7004; see also Civ. Code § 1798.140(h), (l).” According to the order, Honda’s process for processing CCPA requests did not distinguish between requests that required verification and those that did not, thus collecting more information than necessary. Verification of identity for exercise of consumer rights under the CCPA is not a “one size fits all.”
Review your Consumer Request and Consent Mechanisms
The CCPA Regulations, implemented by the CPPA (Section 7004(a)(2)), require businesses to design request and consent mechanisms that present the consumer with “symmetry in choice”; in other words, you cannot create a path to a privacy-protection option that is longer or more difficult for consumers to navigate than a less privacy-protective option. The order alleged that Honda’s cookie management tool required too many steps for consumers to disable cookies and opt-out of sharing with advertising cookies. Consumers could “accept all” cookies with one click (and thus opt-in to sharing), but according to the order, opting out of the cookies and sharing would require at least two clicks. According to the order, a symmetrical choice in this scenario “could be between “Accept All” and “Decline All.” [Section] 7004(a)(2)(C).” How does your cookie banner present options?
Audit your Vendor Contracts!
The CCPA requires that covered businesses that disclose personal information to a third party, service provider, or a contractor enter into contracts that have specific requirements set forth in Sections 7051 and 7053. According to the order, Honda discloses personal information of its consumers to ad tech companies who “in turn, use this Personal Information to track Consumers across different websites for advertising and marketing purposes.” The order alleges that Honda could not produce contracts with ad tech companies, thus putting consumers’ personal information at risk.” Clear call to covered businesses to ensure that any disclosures of consumer personal information to third parties, service providers, or contractors (all as defined in the CCPA) are subject to agreements that include the specific CCPA-required language, and that it is time to review these relationships, including with ad tech companies.
These types of enforcement agreements carry costs beyond the fine. Under the settlement agreement, Honda agreed to a host of corrective actions in addition to the payment of the $632,500 fine:
- implement a new and simpler process for consumers to submit privacy rights request consistent with the CCPA and apply the Global Privacy Control;
- consult with a user experience (UX) designer to evaluate its methods for submitting privacy requests and certify to the CPPA that it received the recommendations from the UX designer and provide the CPPA with a timeline for implementation;
- train employees on CCPA compliance; and
- change its contract management and tracking process to ensure compliance with the CCPA and confirm in writing to the CPPA that required contractual terms are in place with all recipients of personal information.
For questions about compliance with the CCPA, or other privacy-related issues, contact the author or any member of the Mintz Privacy and Cybersecurity practice.
Author
