Association Events
Learn about NHADA's major events and fundraisers.
Background and Allegations
CCPA Violations
The CPPA’s investigation began in 2023 and centered around multiple compliance issues in Honda’s handling of consumer privacy rights. Specifically, the CPPA alleged that Honda imposed unnecessary barriers on Californians seeking to exercise privacy rights and to have obstructed Californians’ ability to authorize third-party representatives (“authorized agents”) to assert their privacy rights. The CCPA mandates simple and direct methods for authorized agents to act on consumers’ behalf, and Honda’s additional verification demands violated these requirements, according to the CPPA.
Honda’s Cookie Banner Practices and Third-Party Vendor Management
The investigation also revealed non-compliant cookie practices. Honda used cookie banners that defaulted to advertising cookies being enabled, requiring consumers to take extra steps to opt-out. Specifically, Honda’s banner presented only the option to “Allow All” cookies, requiring consumers to proactively navigate to a “Manage Preferences” to opt-out. The CCPA requires that opting out be as straightforward as opting in, meaning consumers should not have to take additional, burdensome steps to limit the collection or sharing of their data.
Moreover, Honda’s contractual oversight with third-party advertising technology providers drew regulatory scrutiny. The CPPA highlighted Honda’s alleged failure to secure required contractual protections ensuring that its vendors handle consumer data in accordance with privacy law.
Remedial Actions Required for Honda
In addition to the $632,500 fine, Honda agreed to significant changes in their privacy compliance processes, including:
- Implementing required changes to their consent banner and consumer privacy request procedures.
- Conducting comprehensive employee training on privacy compliance.
- Engaging “experts” to evaluate and enhance consumer interaction with privacy request systems.
- Improving contracting processes to ensure proper data protection agreements are in place with third-party vendors.
So What Does This Mean For Dealers?
This case shows how seriously California (and other states) are taking the privacy rights under state privacy laws. In addition, it shows again, why all dealers in ALL STATES must have a compliant cookie banner. All dealers need to:
1. Have a process in place to properly handle consumer privacy requests.
Ensure privacy and consent management platforms function as described and fully meet compliance standards. Not all platforms, even those that are widely used outside of the dealership space, automatically achieve compliance. Dealers must carefully evaluate solutions to avoid platforms that fall short of their advertised capabilities. The mindset that “something is better than nothing” is no longer acceptable; dealers must confirm that their chosen solutions genuinely deliver on their promises.
Implement robust, efficient processes to respond to consumer privacy requests, including data access, deletion, and correction. Ensure visibility into third-party service providers’ data-sharing practices and maintain processes that guarantee their compliance.
Ensure robust contractual protections are in place with third-party vendors handling consumer data, clearly defining obligations to protect consumer information in accordance with the CCPA (and any other applicable privacy laws).
2. Employ compliant cookie banners.
The law in this area is complex, dimly understood (even by many lawyers), and changes quickly. Bottom line – it’s not easy to do this right, and most companies don’t do it right. Hiring just any vendor to simply place some language on your website is not enough. Indeed a faulty banner not only fails to protect you, it can easily lead to additional liability for the dealership.
3. Review All Sites – Especially Those Controlled by OEMs:
Dealers ultimately bear responsibility for ensuring all websites associated with their business meet all legal requirements. Be vigilant if an OEM or other third party controls a site or mandates different privacy policies, and collaborate with OEMs to harmonize compliance efforts. This includes third-party vendors who run on subdomains or Iframes connected to your website. Aside from compliance, dealers must do more to understand what is happening on your sites – because it’s your data! You are responsible for it, it’s sensitive and it’s valuable. Don’t let third parties take advantage of your websites.
4. Get Expert Advice:
ALL dealers – not just those in California – must address these issues by working with providers such as ComplyAuto. Simply put, ComplyAuto has the ONLY truly compliant and integrated state privacy law and cookie banner solution in the industry. And ComplyAuto’s privacy law compliance solution is not only comprehensive, we do it all for you.
This is a highly specialized and complicated area of the law. There are now 19 states that have, or are about to have, a comprehensive state privacy law. Moreover, the cookie consent issue and website concerns affect all dealers nationwide.
With ComplyAuto it is all automated and simple for any dealer. The ComplyAuto software manages your cookie banner, ensures a compliant privacy policy, and integrates both with your consumer request portal under state law. We even ensure that vendors sign the required contractual amendments – all on your behalf. It couldn’t be simpler for you.
The ComplyAuto team has decades of legal experience and we have been working with dealers for years on getting this right. We also work closely with state dealer associations (we are endorsed and recommended by 44/50 states) and have in recent months even worked closely with state enforcement agencies to ensure compliance for dealers. ComplyAuto has years of experience with the CCPA and other state privacy laws and has developed a comprehensive, automated approach to assist dealers with this difficult task. Contact ComplyAuto today to ensure your dealership is protected
Author: Marc Sanborn, Senior Product and Regulatory Specialist, ComplyAuto
The original article is available here.
