On March 12, 2025, the California Privacy Protection Agency (the “CPPA”) announced a decision and stipulated final order stemming from its investigation of the American Honda Motor Company’s (the “Company” or “Honda”) data privacy practices. In addition to implementing changes in its practices, the Company agreed to pay an administrative fine of $632,500. The decision details various failures to appropriately provide Californians with rights under the California Consumer Privacy Act (the “CCPA”) and also highlights deficiencies in the Company’s cookie interface that the CPPA alleged denied consumers symmetry of choice when exercising their rights.
While this is the first enforcement decision of its kind issued by the CPPA, state regulators have been increasingly scrutinizing cookies banners and the operation of cookies management tools as potential dark patterns. As the patchwork of states adopting privacy laws expands, cookies banners and management of cookies may be low-hanging fruit for regulators to bring enforcement actions. In this blog post, we discuss how the CPPA’s enforcement action against Honda may be an indicator of a broader enforcement trend around cookies management.
Background: Cookies and the CCPA
Cookies are small text files saved on a consumer’s browser that can enable online services to identify a consumer’s activity across the web. Cookies may be employed for a variety of purposes, including to help online services understand how consumers are interacting with websites (e.g., where they spend time), ensuring a website is functioning, and to help serve and measure the effectiveness of tailored advertising. This latter use of cookies data is referred to as cross-context behavioral advertising under the CCPA. For example, if a consumer visits an athletics store online and looks at sneakers, a cookie may be used to collect that consumer’s browsing information and share it with a third-party who then uses it to build a profile about that consumer, which may then be used to serve that consumer advertisements about sneakers on other websites that also deploy that same third-party cookie.
The use of cookies in connection with cross-context behavioral advertising is typically considered “sharing” under the CCPA and “targeted advertising” under other U.S. state privacy laws. These laws require businesses to provide consumers with a right to opt out of these uses of cookies. To comply with opt-out requirements, businesses can use a “Do not sell or share my data” link or may use a cookies banner and cookies management tool that enables consumers to reject cookies. Businesses that engage in cross-context behavioral advertising or targeted advertising must also comply with global privacy control browser signals (“GPC”), meaning that they must automatically opt a consumer’s browser out from such cookies and associated data sharing when the consumer’s browser uses a GPC.
Under the CCPA, to ensure that consumers’ ability to protect their privacy is not unfairly hindered by the way that consent mechanisms are presented to consumers, businesses are required to offer consumers a “symmetry of choice,” which means that selecting the most privacy-protective option should not be more difficult or time consuming than selecting the least privacy-protective option. 11 CCR § 7004(a)(2). For example, a cookies banner with only two choices: “Accept All” and “More Information” would probably not be considered symmetrical because the most privacy-protecting option requires more steps than the least privacy-protecting option.
The CPPA’s First Enforcement Action
The CPPA’s 19-month investigation included findings that the Company (1) inappropriately required Californians to provide excessive personal information to exercise certain privacy rights, such as the right to opt out of sale or sharing; (2) failed to offer consumers privacy choices in a symmetrical manner; and (3) did not produce compliant data processing agreements with third parties. This blog post focuses on the second set of allegations.
The CPPA found that Honda employed a cookies management tool similar to those utilized by many websites in the U.S., which provided consumers with a notice of the website’s use of cookies and the ability to change their cookies preferences that were active by default. However, to turn off advertising cookies, a consumer would have to go through two steps: first, clicking a toggle button to open the cookies banner; and second, clicking “confirm my choices.” If that consumer later returned to the cookies management tool, they could turn on all cookies, including advertising cookies, in one step by selecting the “allow all” choice (screenshot below).
The CPPA found that Honda’s cookies management tool failed to provide a symmetrical choice to consumers exercising their opt-out right because it required consumers to go through two steps to turn “off” advertising cookies but only one step to turn them on. Instead, the CPPA stated that “[a]n equal or symmetrical choice … could be between ‘Accept All’ and ‘Decline All’” cookies. The CPPA required Honda to modify its cookies banner to include a “Reject All” button to provide symmetry in choice with Honda’s “Allow All” button within its cookie management platform.
The decision signals that the CPPA interprets the symmetry of choice provisions of the CCPA to mean that businesses must maintain an opt-in consent model for third-party cookies even though that is not explicitly required by the CCPA.
Toward an Opt-In Regime for Cookies?
The Honda decision is consistent with earlier signals from the CPPA. In September 2024, the CPPA issued an enforcement advisory that stressed the importance of avoiding dark patterns, which are “user interfaces that subvert or impair consumers’ autonomy, decision making, or choice when asserting their privacy rights or consenting.” As part of the advisory, the CPPA discussed that when using a cookies banner, businesses must provide consumers with easy-to-understand user interfaces with symmetry of choice.
New York has focused on the cookies in the context of consumer protection. In July 2024, the New York Attorney General launched a business guide for website privacy controllers, which provides that statements about how website visitors are tracked should be accurate, and privacy controls should work as described. Cookies that are either miscategorized or misconfigured, such that consumers are offered the option to, but cannot in fact, turn off the cookies, are viewed as a violation of New York’s consumer protection laws. The New York Attorney General encouraged businesses to review cookies disclosures to ensure they are easy to understand and do not confuse consumers.
Takeaways
As state regulators increase scrutiny over cookies management tools, here is what businesses can do to prepare:
- Cookie Inventory. In order to understand whether opt-out rights are required and to accurately disclose how businesses are utilizing cookies, businesses should consider maintaining an up-to-date categorized inventory of cookies and other trackers that their online services deploy.
- Symmetry of Choice. Businesses should assess whether privacy choices offered through their cookies management tool, and website more generally, are easy to understand and offer consumers symmetry of choice. Businesses should consider implementing an “Accept All”/ “Reject All” approach if they are using a cookies banner in California.
- Test Cookies Management Tools. Businesses may configure cookies management tools to be compliant with applicable regulations and guidance, but those tools may, however, drop cookies prior to obtaining the necessary consumer consents or otherwise not function as intended. Businesses should consider conducting testing of cookies management tools to ensure they are functioning as intended.
*****
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by Copilot.
