Thirsty for more expert insights?

Subscribe to our Tea O'Clock newsletter!

Subscribe
>>

Data Privacy in the US: What the Honda Decision Means for Marketers

fifty-five
Published on
9/5/2025
The California Privacy Protection Agency’s recent settlement with Honda signals a tougher era of enforcement under the CCPA, especially around online data collection and cookie banners. This decision sets a new precedent for marketers, who must now ensure opt-outs are as simple as opt-ins, among other obligations, or risk serious penalties.

Welcome Back to Our Privacy Series

Last week, we discussed the general context of privacy in the US. This week, we are shifting our focus to one of the more recent and pivotal enforcements.

This article is co-written by Joss Merckaert, Project Lead & Parker Bacon, Senior Consultant at fifty-five.

On March 12, 2025, Honda reached a settlement with the California Privacy Protection Agency over privacy violations, with vast implications for all businesses operating in California. The CPPA alleged that Honda, a prominent global automaker, was violating the state’s major consumer privacy protection act by making opting out of data collection much more difficult than opting in for consumers, among other issues. As a result of this decision, the company will modify its privacy procedures and pay a fine to resolve the claims.

This agreement indicates a new era of enforcement under California's developing privacy regulations, especially as it relates to opt-out tools such as cookie banners. Companies actively working in California should pay close attention and respond accordingly.

Part 1: What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA, not to be confused with the CPPA, California’s privacy agency) came into force in January 2020. It was the first major U.S. privacy law of the big data era. One of its most significant innovations was requiring companies to provide California-based consumers with an opt-out mechanism for the sale or sharing of their data. This covers any situation where data is transferred to a third party for valuable consideration

The CCPA also requires building documentation and internal processes. You can read more about the CCPA on the CPPA website.

So far, enforcement under the CCPA has been mostly limited to data breaches and hidden data processing, with the only major webanalytics decision before Honda being the 2022 case against Sephora. The central issues in that case were the failure to respect Global Privacy Control signals (which will be the main topic of next week’s article) and the lack of sufficient legal documentation for data transfers.

The Honda decision marks a new wave of actions against businesses that fail to comply with the CCPA’s rules on online data collection.

Part 2: The Honda decision, explained

Compared to the Sephora case, the Honda decision is much broader and has implications for all online data collection tracking practices, as it targeted cookie banners, general forms, documentation, and legal contracts. In particular, four key areas of concern were highlighted in the decision:

  1. Honda was utilizing a privacy management tool that failed to present choices symmetrically or equally. This tool required consumers to make more clicks in order to decline data use than it took to opt in.
  2. In order to exercise privacy rights like opting out of sale/sharing or limiting data use, consumers had to provide excessive personal information.
  3. Honda made it difficult for authorized agents to exercise privacy rights on behalf of consumers.
  4. Honda shared personal information with third parties (such as ad tech vendors) without contracts containing required privacy protections.

A fine of $632,500 was imposed on the company, a sum that remains quite modest when compared to fines imposed in Europe for similar violations of the EU’s seminal privacy law (the GDPR), or related to breaches / hidden data sales under the CCPA, which have already exceeded $100M. However, given the fines in Europe for similar violations started quite small but then grew rapidly, the same evolution could also occur in California, with fines potentially reaching comparable amounts for major Californian businesses.

Part 3: What the Honda case means for marketers

Usually, one of the best ways to understand how to react to a new law is to see how the penalized company adapted to the decision. However, some of the effects of the decision remain unclear in this case, as Honda may not have yet adapted its processes.

In particular, while the documentation requirements were clarified, many doubts remain regarding cookie banners. A cookie banner (including its California-specific version, the “Do Not Sell / Share” banner) is usually seen as an efficient, legible way to manage consent and increase consumer trust. Now, the decision reaffirmed that cookie banners must respect the “symmetric” rule introduced by the CCPA (Cal. Code Regs. Tit. 11, § 7004): “the path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option.” However, the exact implications of this paragraph, and of the CPPA decision, remain unclear, especially for the companies using a banner that appears directly when visitors browse their websites for the first time.

We highly recommend marketers work closely with their legal departments to review the decision and give guidance on how best to comply. This includes reviewing the cookie banner format and ensuring its relevance following the new laws.

Until the CPPA releases further guidance, there will likely be a period of confusion and uncertainty across both marketing and legal teams. In the meantime, we suggest carefully documenting your processes so that you can present clear explanations during a potential control by the CPPA.

Conclusion

The Honda decision is a strong reminder that privacy laws are actively being enforced in California, especially for website data collection, and that, soon, similar legislation could be voted on in many other states. While penalties are currently small in comparison to European standards, they will likely start to increase gradually. 

Marketers need to involve their legal departments to make sure they take appropriate action following the Honda ruling, particularly when it comes to their cookie banners. They must also remain alert, as every new enforcement action will bring additional clarity. Overall, marketers should work in close partnership with their legal departments and experts with privacy experience to deploy privacy-safe data collection, especially after cases like Honda’s, where some details remain unclear but still have major business implications.

What’s Next?

Next week, we’ll dive into Global Privacy Control (GPC), which was the focus of the first major CCPA enforcement action regarding website data collection. We’ll explain what GPC is, why it matters, and how your business can stay compliant. Stay tuned! Until then, don’t hesitate to contact us for more information on privacy-compliant business practices, in the US and beyond. 

All articles

Related articles

U.S. Data Privacy Is Changing: What Marketers Need to Know

3 minutes
Josselin Merckaert

Thirsty for more expert insights? Subscribe to our monthly newsletter.

Discover all the latest news, articles, webinar replays and fifty-five events in our monthly newsletter, Tea O'Clock.

First name*
Last name*
Company*
Preferred language*
Email*
Merci !

Votre demande d'abonnement a bien été prise en compte.
Oops! Something went wrong while submitting the form.