The California Privacy Protection Agency (CPPA) Board has ordered American Honda Motor Co. to change its business practices and pay a $632,500 fine to resolve claims that the company violated the California Consumer Privacy Act (CCPA).

The decision comes amid CPPA’s Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies.

CPPA began its review in July 2023. At the time, former CPPA Executive Director Ashkan Soltani said the goal is to understand how automakers comply with state law when they collect and use consumer data.

According to a March 12 press release, the division alleged Honda violated Californians’ privacy rights by:

• • “Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
  • “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
  • “Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and
  • “Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

Honda agreed to implement a new and simpler process for Californians to assert their privacy rights to resolve the allegations, the release says.

The OEM also has to certify its compliance, train its employees, consult a user experience designer to evaluate its methods for submitting privacy requests, and change its contracting process “to ensure appropriate mechanisms are in place to protect personal information.”

The CCPA authorizes the agency to impose an administrative fine of up to $2,500 for each violation ($7,500 for each intentional violation), plus an increase for inflation and order businesses to cease engaging in violative business practices.

According to the order, for consumers to make a privacy request, a request to correct, and a request to appeal a denial Honda requires their first name, last name, address, city, state, zip code, preferred method to receive updates, email, and phone number. Providing the brand of the product they own and the VIN or serial number is optional.

“By requiring all of this information, Honda’s webform unlawfully requires consumers to provide more information than necessary to exercise their CCPA rights to opt-out of sale/sharing of their personal information and to limit the use and disclosure of their sensitive personal information,” the order states. “Honda essentially applies a verification standard to these rights.

“The CCPA distinguishes between consumer requests that require the business to verify that the consumer making the request is the consumer about whom the business has collected information and those requests that do not require verification. Specifically, requests to delete, requests to correct, and requests to know are verifiable consumer requests, while requests to opt-out of sale/sharing and requests to limit are not.”

In the release, Michael Macko, head of the CPPA’s Enforcement Division, said “the remedy should fit the problem behavior.”

“We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations,” he said. “Today’s resolution reflects Honda’s early cooperation and commitment to make things right.”

CPPA Interim Executive Director Tiffany Garcia added, “We are dedicated to holding businesses accountable when their practices threaten Californians’ privacy rights. This agreement underscores our commitment to advocating for improved business practices that truly benefit consumers.”

A federal bill was introduced in December that Sens. Mike Lee (R-UT) and Jeff Merkley (D-OR) say will restore vehicle owners’ control over their personal data.

The “Auto Data Privacy and Autonomy Act” would “prevent covered vehicle manufacturers from accessing, selling, or otherwise selling certain covered vehicle data, and for other purposes,” according to the bill text.

If passed, OEMs would have to obtain consent from vehicle owners to access data or only access data to improve covered vehicle performance or safety, according to the bill. “Covered vehicle performance” isn’t defined in the bill.

Images

Featured image: chameleonseye/iStock