Your Webform And Cookie Manager Practices Might Cost You $632.5K: Breaking News From The CPPA x Honda

by: Dhara Shah

The California Privacy Protection Agency (CPPA) has announced a settlement with American Honda Motor Co. over alleged violations of the California Consumer Privacy Act (CCPA). The settlement focuses in on issues relating to Honda’s privacy rights webform, missing DPAs, and lack of equal choice in the cookie manager.

Here is what you need to know:

For Your Cookie Manager

Make sure options to decline and accept cookies are equal in choice. Meaning, it should take the same number of steps to opt-out of cookies as it takes to opt-in to them. The CPPA found that Honda’s setup, which required a user to first click on the toggle button and then a second click on Confirm My Choices, was not equivalent to the opt-in (which was presented by a large, Allow All button).

So what’s the fix? Present two, equal buttons that state “Accept All” and “Deny All” on the cookie manager. A reminder that this idea of symmetrical choices extends to any instance in which you collect a user’s consent.

For Your Privacy Rights Webform

There are a few things to note here. Let’s break it down.

1. Limitations on In-Form Verification of Requests: Make sure you are only verifying requests to know, delete, and correct. The CPPA reminds us that requests to opt-out of sales/sharing and requests to limit the use and disclosure of sensitive personal information should not be verified. Honda was requesting consumers to submit at least 8 data points (more on this below), despite the type of request the user was submitting. Make sure you aren’t collecting “verification” information for the last two rights.

2. Permitted Data Points for Verification: For rights that allow it, make sure you are only collecting the data you need to verify a request. As I mentioned above, Honda was requesting 8 data points (first name, last name, address line, city, state, zip code, email, and phone number). The CPPA stated that Honda is unlawfully requiring consumers provide more information than is necessary to process these requests. A reminder that you should only require 2 data points (not 8!) to verify a request.

3. Notes on Authorized Agents: Make sure your authorized agent language is set up properly. The CPPA reminds us that the above applies to authorized agents (meaning, don’t ask to verify rights to opt-out of sale/sharing and limit SPI & don’t collect more data than necessary). The CPPA also found issue with Honda asking the consumer to directly confirm with Honda that they gave permission to the authorized agent to submit the request on their behalf. As a reminder, you can ask the authorized agent to provide signed permission and you can contact the consumer separately to confirm their permission – but don’t put it in the webform!

For Contracts With Your Marketing and Advertising Providers

Make sure you have proper contracts with the necessary CCPA language to establish your service provider/third party relationship with your vendors. The CPPA asked Honda to produce these contracts, and failed to do so. Review your vendors and make sure the CCPA-mandated language exists in these contracts!

One More Reminder for the Road: Make sure you have links to your cookie manager in the footer of your website, in your privacy policy, and on the privacy rights webform.

Penalties & Next Steps for Honda

Honda now faces a $632.5K fine and must take steps to resolve the allegations – including to consult with a user experience (UX) designer to review and improve its privacy rights webform & train its employees that handle requests on the CCPA and its regulations.

So What Does This All Mean? Companies subject to the CCPA should review webforms, cookie manager, and contracts to ensure that they comply with the CCPA’s requirements – including the flagged points of issue above. Where one regulator goes, the others are sure to follow – with US states that have similar privacy laws in the double digits, compliance with these laws is not one to ignore.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.