December 3, 2024
Is Google Analytics a Wiretap?
One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
The California Privacy Protection Agency (CPPA) has announced the conclusion of its first-ever enforcement action under the California Consumer Privacy Act (CCPA). The target of this enforcement: Honda Motor Company.
After a lengthy investigation into Honda’s privacy practices dating back to 2023, the parties settled the case for $632,500.
There’s a lot to learn from this groundbreaking development, so we’ll break it down.
At first glance, one might assume that this case is directly related to the CPPA’s investigation into connected vehicles that it announced in 2023. While that may likely have been the genesis, the outcome of the case actually makes no mention of Honda’s collection of personal information from drivers of its vehicles. Instead, it focuses primarily on privacy-request forms found on Honda’s website.
In other words, all businesses who must comply with the CCPA should pay attention because this applies to them as well.
One of Honda’s alleged violations stems from requiring too much information from consumers who wanted to submit privacy requests. Here’s why.
Privacy-request verification under the CCPA is a little complicated. Whereas some request types (Requests to Know, Correct, and Delete) require verification of the consumer’s identity, others (Opt-Outs and Requests to Limit Use of Sensitive Personal Information) prohibit verification of the consumer’s identity. Why? It deters consumers from submitting an Opt-Out or Request to Limit and there is virtually no downside for the consumer if someone submits one of these requests in their name.
Despite this rule, Honda—along with many, many other companies—used the same privacy request form for all request types. The form, provided by OneTrust in this instance, required consumers to enter a significant amount of personal information, such as mailing address and phone number, in order to submit an Opt-Out or Request to Limit. The investigation found that this information was not necessary to identify the consumer, so it amounted to requiring verification when verification is prohibited.
We’ve always known about this rule, but now we know the CPPA takes it very seriously.
Honda used a cookie management pop-up to let consumers opt out of targeted advertising, but the CPPA determined that the pop-up employed a dark pattern to impair consumers’ ability to choose. Specifically, the agency found that there was an asymmetry in the number of steps required to opt out vs. opting in.
In order to opt out of advertising cookies, a user had to deselect the advertising toggle and then click “Confirm My Choices.” This requires two clicks. To opt back in, the user only had to click once on “Accept All.” Two clicks is more than one click, and that’s all it took for the CPPA to see a CCPA violation.
All Honda had to do to avoid this was to have a “Reject All” button that allowed for one-click opt-outs.
The CPPA found that Honda required unnecessary information from consumers when they had an authorized agent submitting Opt-Outs or Requests Limit on their behalf.
This is related to the prohibition on verifying Opt-Outs and Requests to Limit. When an authorized agent submits an Opt-Out or Request to Limit for a consumer, the business may ask the agent to verify its authority to act on the consumer’s behalf. However, the business may not directly contact the consumer to verify the agent’s authority. The reasoning for this is that it amounts to requiring verification where verification is prohibited.
Honda automatically sent communications to consumers requiring them to confirm the agent’s authority to act on their behalf for all privacy requests, including Opt-Outs and Requests to Limit, so this was a violation.
Anyone familiar with privacy compliance already knows that businesses providing personal information to "service providers" for processing on their behalf must have contractual language in place that protects consumers’ privacy.
The California Privacy Rights Act (which amended the CCPA) introduced a new requirement: Businesses must have contractual language in place with all data recipients, not just service providers. This language includes a limitation on the data recipient to only use the personal data for purposes identified in the contract.
Honda did not have such a contract with its adtech partners, so it violated the CCPA. Unfortunately, this is a compliance gap for many businesses because most vendors have been unwilling to add such language to their service agreements. Perhaps this case will provide tech companies with the necessary motivation to update their contracts.
The CCPA’s mandatory 30-day cure period went away on January 1, 2023. That means the CPPA or the Attorney General do not have to give businesses a chance to fix any violations before proceeding with enforcement.
Judging by the case against Honda, the CPPA is not inclined to give businesses the benefit of the doubt:
That didn’t matter. The CPPA still went ahead with the enforcement and required Honda to pay over $630K.
Other businesses should take note and not expect any leniency from the California Privacy Protection Agency.
As privacy enforcement picks up pace, noncompliance is becoming an increasingly expensive gamble. Laws like the CCPA have already been in force for years, and authorities aren’t taking them lightly.
Rather than take a risk that could cost your company hundreds of thousands of dollars, get compliant quickly and cost-effectively with TrueVault. Guided by our attorney-designed software and experienced support team, you can create a data map, onboard vendors, post privacy notices, and be ready to respond to consumer requests, all within a matter of business days. As new U.S. privacy laws go into effect, they are automatically added to your privacy center at no extra cost.
Best of all, your compliance is backed by a guarantee against fines up to $250,000!
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
