Key Takeaways from the California Privacy Agency’s First CCPA Enforcement Action

March 14, 2025

On March 12, 2025, the California Consumer Privacy Protection Agency (CPPA or Agency) announced a settlement with an auto manufacturer, marking the Agency’s first enforcement action under the California Consumer Privacy Act (CCPA or Act), which has to date only been enforced by the California Attorney General. While the settlement followed the CPPA’s connected car investigative sweep announced in July 2023, the Agency’s allegations are not specific to the automotive industry, and instead should be viewed as instructive for any business subject to California’s broad and prescriptive CCPA and implementing regulations. 

Below, we share top takeaways from this landmark enforcement action.    

1. All companies – including but not limited to companies in the connected vehicle space – should pay attention to the Agency’s enforcement of the CCPA. While California’s settlement was with Honda, the Agency’s Order of Decision makes no mention of any connected vehicle-specific issues. Instead, the Agency alleges violations of the Act’s comprehensive requirements that apply to any business subject to the law. Thus, while the auto industry remains a focus for policymakers and enforcers at both the federal and state levels, this action signals to businesses across all sectors and verticals that the Agency is actively enforcing the CCPA.
2. There is no de minimis exception to the CCPA compliance. The Agency’s Order states that the administrative fine associated with the settlement “accounts for [the company’s] conduct toward” a total of 153 alleged violations, while also noting as a factual finding that on an annual basis, the company sells or shares the personal information of more than 100,000 consumers. Comparing these numbers, the Agency appears to be prepared to take issue with any violation of the law, even where, as here, the alleged violations make up a fraction of a percentage of consumer interactions.
3. There is no longer a “right” to cure CCPA violations. The CCPA initially included a 30-day right to cure that allowed businesses time to respond and cure alleged violations before facing enforcement. That right to cure was eliminated by subsequent legislation, with the Agency now having the ability to provide an opportunity to cure at its discretion. The factual findings in the Order do not mention the company having an opportunity to cure.
4. The CPPA strictly construes requirements for consumer-request and consumer-consent mechanism design and implementation. The CPPA’s rules to implement the CCPA require businesses to design and implement consumer-request and consumer-consent mechanisms that present consumers with symmetry in choice. Here, the Agency alleged that the company’s “cookie management tool fails to provide symmetrical choice” because consumers could accept “cookies with one click, [but] opting out of the cookies requires at least two clicks.” This allegation reveals a strict reading of the Agency’s prescriptive rules, which also require that these mechanisms be easy to understand, easy to execute, avoid elements that are confusing, and avoid designs that impair or interfere with consumer choice.
5. When it comes to verifying consumer requests, there is no one-size-fits-all approach under the CCPA. This settlement illustrates the operational complexities of the CCPA in action. As the Order explains, different consumer requests must be handled differently. For some requests, businesses are required to verify that the consumer is who they say they are, but for other requests, businesses are prohibited from requiring such verification and may not ask consumers for more information than “necessary to complete the request.” Here, the CPPA alleged that the company only needed two data points to identify consumers within its database, but that it unlawfully required consumers to complete at least eight data fields for all consumer requests, including for opt-out requests for which the Agency asserts that verification is prohibited.
6. Contracts with marketing and advertising partners are a must under the CCPA. The CCPA requires that businesses have certain contracts in place when personal information is transferred. Here, the Agency alleged that the company “could not produce contracts” with advertising technology companies it had shared consumer data with – making clear that the Agency applies the contract requirement broadly, to include contracts with advertising tech partners.

Wiley’s Privacy, Cyber & Data Governance and Connected & Autonomous Vehicles practices have broad experience in navigating rulemakings and compliance surrounding cutting-edge technology and the evolving legal landscape. For questions about this alert, please contact the authors.