The California Privacy Protection Agency (CPPA) issued a decision requiring Ford Motor Company to pay a fine of $375,703 and update its privacy practices following a settlement for its alleged violations of the California Consumer Privacy Act (CCPA). Under the CCPA, California residents have the right to direct a business to stop selling or sharing their personal information by opting out. According to the CPPA’s decision, Ford’s opt-out process for personal information collected through its digital properties and connected vehicle services required an identity verification step. Specifically, consumers had to verify their email address as part of the opt-out workflow. The CPPA concluded this added “unnecessary friction” for consumers trying to exercise their rights.
The result was not just added inconvenience, but the CPPA stated that Ford did not process opt-out requests unless the consumer completed the email verification step. Following the CPPA’s investigation, Ford has since processed opt-out requests that lacked verification. Further, in addition to the monetary fine, Ford must also conduct an audit of the tracking technologies on its website and ensure compliance with opt-out preference signals, including the Global Privacy Control.
This enforcement action highlights an increasingly practical regulatory focus. The question is not only whether an opt-out mechanism exists on paper, but also whether it works in a way that consumers can realistically use.
This matter signals that the CPPA is looking at the connected vehicle ecosystems and related digital properties, not just traditional web-only businesses. The lesson here is that if consumers must take extra steps that are not essential to submit or effectuate an opt-out, regulators may view that as deterring a consumer’s ability to exercise their rights.