Rules Navigator

Connected cars: California settles with Honda over alleged privacy issues

Image of a lot of parked cars from an aerial shot.
Photo: Anna Barclay/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

In addition to the monetary penalty, the order mandates a significant number of corrective actions, including consulting a user experience designer.

The first data privacy enforcement action publicly taken by the California Privacy Protection Agency (CPPA) since it opened in December 2020 has been settled.

Last month, the CPPA entered into a Stipulated Final Order with American Honda Motor Co, Inc, settling alleged violations of the California Consumer Privacy Act (CCPA). The settlement arises from the CPPA’s investigation into the privacy practices of connected vehicle manufacturers, which began in July 2023. It requires Honda to pay a $632,500 fine and implement changes to consumer rights request processes under the CCPA.

The investigation arose from the state agency’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies.

Specific violations

The CPPA’s Enforcement Division alleged that Honda violated Californians’ privacy rights by:

  • requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
  • using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
  • making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and
  • sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

The CCPA prohibits businesses from requiring a consumer to verify their identity to opt out of the sale or sharing of personal information or to limit the use of sensitive personal information. According to the settlement, Honda required consumers who submitted opt-out requests to provide the same information that Honda required to submit other consumer requests, including name, address, email, phone number, and vehicle identification number, the CPPA alleged.

“We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations.”

Michael Macko, head of California Privacy Protection Agency’s Enforcement Division

Businesses are required by the CCPA to implement methods for submitting opt-out and other requests that are symmetrical in consumer choice, so it is as easy to opt-out as it is to opt-in. Honda’s cookie management platform required a two-step process for opting out of advertising cookies; consumers were required to toggle individual categories of cookies and then click a button to “confirm” those choices. Meanwhile, opting back into those cookies required only a single click of a button to “Allow All” cookies, the CPPA said.

The CCPA also requires businesses to enter into agreements with its service providers, contractors and third parties with whom the business sells or shares personal information. Those agreements must require the third-party service provider to limit their use of the personal information to specific, identified purposes and comply with the CCPA. Honda failed to produce contracts meeting those requirements with the third-party advertising technology companies, the agency alleged.

Penalty

In addition to the fine, Honda agreed to implement a new and simpler process for Californians to assert their privacy rights. The company is required to certify its compliance and train its employees on state privacy requirements.

Interestingly, the Order requires Honda to consult with a user experience designer “who may be an independent consultant or Honda employee” to evaluate its data subject rights process. 

Honda must also change its contracting process to ensure appropriate mechanisms are in place to protect personal information.

The order spells out the number of consumers whose rights were implicated by some of Honda’s practices, underscoring that the fines imposed apply on a per violation basis.

“The remedy should fit the problem behavior,” said Michael Macko, head of the Agency’s Enforcement Division. “We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations. Today’s resolution reflects Honda’s early cooperation and commitment to make things right,” said Macko.

Your car is spying on you

In July 2023, the CPPA announced a review of data privacy practices by connected vehicle manufacturers and related, connected technologies.

The agency noted that these vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras.

“Data privacy considerations are critical because these vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives,” the press announcement stated at the time.

“Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” said Ashkan Soltani, CPPA Executive Director.

State attorneys general have taken notice, too.

Last August, Texas Attorney General Ken Paxton sued General Motors for its false, deceptive, and misleading business practices related to its unlawful collection and sale of over 1.5m Texans’ private driving data to insurance companies without their knowledge or consent. 

, , , , , , ,

You may also like