Companies hounded by the California Privacy Protection Agency an state AG for supposed California Consumer Privacy Act violations are going to have Honda to thank for it in large measure.
I took a look at this resolution and I am just appalled.
Honda just paid $632,500.00 to resolve CCPA claims but to my eye the regulators were grasping at straws here. The supposed violations were ticky-tack, if not invented. And I cannot figure out why Honda would embolden the regulators–and lose hundreds of thousands of dollars– with this rollover settlement.
It seems like some lawyers just roll over as soon as a regulator comes knocking and that is such a mistake.
Let’s take a look at this.
Honda’s supposed crime here was two fold.
First, Honda supposedly required consumers to provide more information that necessary on non-verifiable consumer requests, which the regulators claim is not allowed under the statute. But it is unclear that Honda’s conduct actually exceeded the “Non-verifiable” requirements and, even if it did, it is unclear how these extra efforts to protect consumer privacy and provide a superior user experience actually lead to damage. This is especially true in the context of Honda’s third-party agent verification requirement.
In essence the regulator seemed to be claiming that since Honda conceded it did not need more than two pieces of data to execute on a request it should not have obtained more than two pieces of data. Not sure why Honda would concede that point but, regardless, a company’s subjective perception of need does not dictate the objective reach of a statute. So… junk.
From a practical standpoint, the vast majority of businesses out there are using a single process flow for both non-verifiable and verifiable requests. This sudden and jarring regulation by enforcement theoretically means basically every business out there is now in violation of the CCPA.
Eesh.
But it gets even worse.
Honda’s second supposed crime was having an “asymmetrical” cookie management tool. While that sounds fancy it just means that it took 2 steps to opt out of cookies and only 1 step re-opt-in.
Big whooping deal. (Or “Holy Santa Fe” to quote a recent Hyundai commercial.)
Opting out of something using two steps to assure things are done right and a consumer understands consequences verus opting back into something–after the consumer obviously has already been informed of the choices– is an asymmetrical experience by definition. In one part of the experience the user must be educated and then given an option. In the second part of the experience the user must only be given an option. This is just logic written into a sound user experience.
My mind is blown Honda would settle this.
So everyone out there please make sure your two step cookie dance works on the front end and the back end. And please make sure you have a process to seek protect some categories of consumer information less than others.
Thanks.
And thanks Honda.
Sorry, but this was such an important moment for a well-funded company with good inhouse counsel to make a forward-looking assessment and take a stand for common sense. Didn’t happen.