On March 12, 2025, the California Privacy Protection Agency (CPPA) published its decision approving a Stipulated Final Order (Order) against a major automotive manufacturer (company) for violations of the California Consumer Privacy Act (CCPA). The Order requires the company to pay a $632,500 fine and implement several changes to its data handling practices. These changes include modifying its methods for submitting CCPA requests, ensuring proper contracts with advertising technology vendors, and providing updated training to personnel handling CCPA requests.
Signaling a continuing privacy enforcement environment in California, the Order serves as a reminder for businesses to prioritize consumer privacy in adherence to the CCPA’s requirements. It underscores the importance of ensuring reviews by privacy teams of consumer-facing interface designs, proper handling of CCPA requests, contract management, and compliance documentation. Below, we summarize the allegations, settlement, and key takeaways from the Order to help businesses ensure compliance with the CCPA. This analysis is based on publicly available information, as we did not represent the company in this matter.
Allegations
The CPPA’s Enforcement Division began the investigation as part of its ongoing review of privacy practices by connected vehicle manufacturers and related technologies. Notably, however, while the company manufactures connected vehicles, the Enforcement Division’s allegations do not pertain to the company’s privacy practices unique to connected vehicles. Instead, the claims focus on the company’s web-based privacy rights request interfaces and its management of third-party risks through contractual safeguards:
- Excessive Information Collection for Privacy Rights Requests. The company provides an online form (Webform) for consumers to submit privacy rights requests. This Webform outlines various privacy rights available to consumers. But it allegedly required consumers to provide at least eight data elements to submit a request to opt out of the sale or sharing of personal information or limit the use or disclosure of sensitive personal information. Consequently, consumers had to provide more information than necessary and effectively verify their identities to proceed with their requests. Because the CCPA prohibits businesses from requiring consumers to verify their identities for these types of requests, the Enforcement Division determined that the Webform violated the CCPA.
- Unnecessary Confirmation for Authorized Agents. The Enforcement Division discovered that the company required consumers using authorized agents to directly confirm with the company that they had granted such authorization, regardless of the type of requests the agents submitted. The CCPA prohibits businesses from requiring consumers to provide such confirmation for requests to opt out or limit when submitted through authorized agents. Consequently, the Enforcement Division determined that the company’s handling of authorized agent-submitted requests violated the CCPA.
- Asymmetrical Cookie Management. The company’s website features a cookie preference center that allows consumers to disable three categories of optional cookies: “Performance Cookies,” “Functional Cookies,” and “Advertising Cookies,” all of which are enabled by default. According to the Order, consumers wishing to disable any category of optional cookies had to complete a two-step process: first, moving the toggle next to that category to the left, and second, selecting the “Confirm My Choices” button. In contrast, consumers who had previously opted out of optional cookies could opt back in with a single click by selecting the “Allow All” button on the cookie preference center. The Enforcement Division found that this choice architecture was asymmetrical and violated the CCPA as it required more steps for consumers to make a privacy-protective choice of disabling optional cookies than to make a less privacy-protective choice of enabling all optional cookies.
- Lack of Binding Contracts with AdTech Vendors. The Enforcement Division discovered that the company sold, shared, or disclosed personal information collected on its website to advertising technology vendors for marketing and advertising purposes. Despite the CCPA’s requirements for businesses to bind third parties, service providers, and contractors that receive personal information with specific contractual obligations, the company allegedly failed to produce written contracts with its advertising technology vendors.
Settlement
The Order requires the company to pay an administrative fine and comply with the CCPA, including by taking the following corrective actions:
- Administrative Fine. The company must pay an administrative fine of $632,500. Notably, the Order specifies that $382,500 of this fine is attributed to the company’s inadequate handling of privacy rights requests submitted by 153 consumers, amounting to $2,500 per consumer.
- Privacy Rights Requests. The company must update its practices for privacy rights requests by: (1) limiting the data elements required from consumers submitting requests to opt out or limit, ensuring only necessary information is collected to process the requests; (2) separating the methods for submitting requests to opt out or limit from those requiring verification; (3) not requiring consumers to directly confirm their authorization for agents submitting opt-out or limit requests on their behalf; and (4) requiring authorized agents to provide their own contact information, not the consumers’. The company must also ensure its personnel handling privacy rights requests are informed of all relevant requirements under the CCPA.
- Cookie Management. The company must update its cookie management architecture by (1) including a link to the cookie preference center in its privacy policy, Webform, and website footer; and (2) including a “Reject All” button in the cookie preference center that disables all optional cookies, ensuring symmetry in choice with the “Allow All” button.
- User Experience Design Enhancement. The company must engage an internal or external user experience designer to solicit recommendations on ensuring that the methods for submitting privacy rights requests are easy to use and not confusing to a reasonable consumer. The company must certify to the Enforcement Division that it has received these recommendations and provide a timed plan for their implementation.
- Contract Management. The company must update its contract management and tracking processes to ensure that all required contracts are in place with external recipients of personal information. The company must confirm to the Enforcement Division within 180 days of the Order that all such contracts are in place.
Key Takeaways
- Vigorous Enforcement. The Order serves as a warning to businesses that the CPPA intends to continue to vigorously enforce the CCPA. The company’s alleged conduct may be characterized as implementation gaps and technical deficiencies rather than clear and egregious violations. But the CPPA did not hesitate to bring an enforcement action, specifically seeking—and obtaining—a maximum fine for shortcomings related to consumers’ privacy rights. Businesses subject to the CCPA should therefore consider conducting a thorough review of their privacy practices to identify and close any compliance gaps, no matter how small.
- Shifts in Focus During Investigations. The scope of regulatory investigations can rapidly expand when regulators identify additional compliance gaps beyond the initial issues that caught their attention. For instance, the Enforcement Division’s investigation into the company initially focused on connected vehicles, but the enforcement action was ultimately driven by the company’s web-based privacy practices. Therefore, businesses subject to regulatory notices, inquiries, investigations, or proceedings may want to consider a swift and strategic identification of potential compliance gaps and associated risks.
- Compliance Documentation. It is critical to document the steps taken to comply with the CCPA to demonstrate compliance when regulators come knocking. The Order shows that the CPPA expects businesses to maintain documentation not only of internal compliance measures, such as policies and procedures for privacy rights requests and personnel training, but also of external safeguards, such as written contracts including required provisions with all external recipients of personal information. Regarding user experience, businesses should consider consulting subject matter and technical experts and implementing reasonable and objective measures to evidence compliance, such as conducting A/B testing to demonstrate that their choice architectures are easy to use and symmetrical.
These key takeaways are general considerations based on publicly available information provided in the Order. Businesses should consult with their legal counsel to assess their risk factors and determine any necessary changes to their privacy practices, policies, or procedures.
Alston & Bird’s Privacy, Cyber & Data Strategy Team and Privacy & Cybersecurity Litigation Team have extensive experience assisting clients’ privacy compliance efforts, defending clients who receive inquiries and violation notices from privacy regulators, and defending clients in class action lawsuits asserted alleged violations of the CCPA. We will continue to monitor developments in privacy regulatory enforcement in California and other jurisdictions. Please contact us if you have any questions.
