Last week, we discussed the general context of privacy in the US. This week, we are shifting our focus to one of the more recent and pivotal enforcements.
This article is co-written by Joss Merckaert, Project Lead & Parker Bacon, Senior Consultant at fifty-five.
On March 12, 2025, Honda reached a settlement with the California Privacy Protection Agency over privacy violations, with vast implications for all businesses operating in California. The CPPA alleged that Honda, a prominent global automaker, was violating the state’s major consumer privacy protection act by making opting out of data collection much more difficult than opting in for consumers, among other issues. As a result of this decision, the company will modify its privacy procedures and pay a fine to resolve the claims.
This agreement indicates a new era of enforcement under California's developing privacy regulations, especially as it relates to opt-out tools such as cookie banners. Companies actively working in California should pay close attention and respond accordingly.
The California Consumer Privacy Act (CCPA, not to be confused with the CPPA, California’s privacy agency) came into force in January 2020. It was the first major U.S. privacy law of the big data era. One of its most significant innovations was requiring companies to provide California-based consumers with an opt-out mechanism for the sale or sharing of their data. This covers any situation where data is transferred to a third party for valuable consideration.
The CCPA also requires building documentation and internal processes. You can read more about the CCPA on the CPPA website.
So far, enforcement under the CCPA has been mostly limited to data breaches and hidden data processing, with the only major webanalytics decision before Honda being the 2022 case against Sephora. The central issues in that case were the failure to respect Global Privacy Control signals (which will be the main topic of next week’s article) and the lack of sufficient legal documentation for data transfers.
The Honda decision marks a new wave of actions against businesses that fail to comply with the CCPA’s rules on online data collection.
Compared to the Sephora case, the Honda decision is much broader and has implications for all online data collection tracking practices, as it targeted cookie banners, general forms, documentation, and legal contracts. In particular, four key areas of concern were highlighted in the decision:
A fine of $632,500 was imposed on the company, a sum that remains quite modest when compared to fines imposed in Europe for similar violations of the EU’s seminal privacy law (the GDPR), or related to breaches / hidden data sales under the CCPA, which have already exceeded $100M. However, given the fines in Europe for similar violations started quite small but then grew rapidly, the same evolution could also occur in California, with fines potentially reaching comparable amounts for major Californian businesses.
Usually, one of the best ways to understand how to react to a new law is to see how the penalized company adapted to the decision. However, some of the effects of the decision remain unclear in this case, as Honda may not have yet adapted its processes.
In particular, while the documentation requirements were clarified, many doubts remain regarding cookie banners. A cookie banner (including its California-specific version, the “Do Not Sell / Share” banner) is usually seen as an efficient, legible way to manage consent and increase consumer trust. Now, the decision reaffirmed that cookie banners must respect the “symmetric” rule introduced by the CCPA (Cal. Code Regs. Tit. 11, § 7004): “the path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option.” However, the exact implications of this paragraph, and of the CPPA decision, remain unclear, especially for the companies using a banner that appears directly when visitors browse their websites for the first time.
We highly recommend marketers work closely with their legal departments to review the decision and give guidance on how best to comply. This includes reviewing the cookie banner format and ensuring its relevance following the new laws.
Until the CPPA releases further guidance, there will likely be a period of confusion and uncertainty across both marketing and legal teams. In the meantime, we suggest carefully documenting your processes so that you can present clear explanations during a potential control by the CPPA.
The Honda decision is a strong reminder that privacy laws are actively being enforced in California, especially for website data collection, and that, soon, similar legislation could be voted on in many other states. While penalties are currently small in comparison to European standards, they will likely start to increase gradually.
Marketers need to involve their legal departments to make sure they take appropriate action following the Honda ruling, particularly when it comes to their cookie banners. They must also remain alert, as every new enforcement action will bring additional clarity. Overall, marketers should work in close partnership with their legal departments and experts with privacy experience to deploy privacy-safe data collection, especially after cases like Honda’s, where some details remain unclear but still have major business implications.
Next week, we’ll dive into Global Privacy Control (GPC), which was the focus of the first major CCPA enforcement action regarding website data collection. We’ll explain what GPC is, why it matters, and how your business can stay compliant. Stay tuned! Until then, don’t hesitate to contact us for more information on privacy-compliant business practices, in the US and beyond.
Discover all the latest news, articles, webinar replays and fifty-five events in our monthly newsletter, Tea O'Clock.
.jpg)
.svg)
