Honda Paid $632K Because "Accept All" Was One Click and "Opt Out" Was Five
The CPPA's first enforcement order. Honda's cookie banner let consumers accept all tracking with a single click, but opting out required individually toggling categories and confirming — a textbook dark pattern. Plus: 8 data fields required just to submit an opt-out request.
What CalPrivacy found
Four distinct violations, each representing a different infrastructure failure:
- Dark patterns in cookie consent. "Accept All" was a single click. Opting out required consumers to individually toggle off each cookie category and then confirm their choices — an asymmetric friction burden that CCPA classifies as a dark pattern. The design made opting out harder than opting in.
- Excessive verification for opt-out requests. Honda required at least 8 data fields to submit any CCPA request through a single webform — name, full address, email, phone number, and VIN. For opt-out requests specifically, the CCPA doesn't allow verification requirements at all. An opt-out is a simple directive: stop selling my data.
- Authorized agent obstruction. When consumers used authorized agents (a CCPA right), Honda required the agent to provide the consumer's email or mailing address so Honda could independently verify permission. For opt-out and right-to-limit requests, CCPA only allows businesses to ask the agent for written permission signed by the consumer — nothing more.
- Missing ad tech vendor contracts. Honda disclosed personal information to advertising technology partners without contracts that included CCPA-required provisions — limitations on secondary use, data security commitments, and breach notification requirements.
The technical failure
The Honda case is different from Tractor Supply and Disney. The consent mechanisms technically worked — if a consumer navigated the dark pattern and individually toggled off every category, the opt-out took effect. The violation was that the UX was designed to discourage consumers from completing the process.
This is a design-as-infrastructure problem. When your consent management tool makes "accept all" a single action but "reject all" a multi-step process, that's not a UX preference — it's a CCPA violation. The same applies to verification: if your DSAR intake form requires the same fields for a deletion request (which can require verification) and an opt-out request (which cannot), your form logic is wrong.
What should have been deployed
1. Symmetric consent UI
The fix is straightforward: if "Accept All" is one click, "Reject All" must be equally accessible — same prominence, same number of clicks. CalPrivacy explicitly cited the CCPA's design symmetry requirements. This isn't a guideline; it's enforceable.
2. Request-type-aware intake forms
A single webform for all CCPA requests is fine, but the verification requirements must differ by request type:
const verificationRules = { "opt-out": { required: ["email"], verify: false }, "right-to-limit": { required: ["email"], verify: false }, "access": { required: ["email", "name"], verify: true }, "deletion": { required: ["email", "name"], verify: true }, "correction": { required: ["email", "name"], verify: true }, }; // Opt-out and right-to-limit: minimal friction, no verification // Access and deletion: verification permitted (but keep it reasonable)
Honda's mistake was applying the same 8-field form to every request type. Opt-out requests should collect the minimum information needed to identify the account and execute the opt-out — typically just an email address.
3. Authorized agent support built into the workflow
The DSAR intake pipeline needs to handle authorized agent submissions as a first-class flow, not a special case routed to manual review. For opt-out and right-to-limit requests via agent: accept written permission, execute the request. No additional verification of the consumer.
4. Vendor contract enforcement
Same pattern as every other enforcement case: contracts with ad tech vendors must include CCPA-required provisions, and the infrastructure must enforce them. When a consumer opts out, the propagation pipeline calls each vendor's opt-out API. The contract gives you the legal right to make the call; the infrastructure actually makes it.
The fine math
$632,500 — the CPPA's first enforcement order. Honda was required to pay the fine, implement a simpler request process, hire a UX designer to evaluate their privacy request methods, train employees on CCPA compliance, and overhaul vendor contracting.
The UX designer requirement is notable. CalPrivacy is saying explicitly: dark patterns in privacy UX are an enforcement priority, and they expect companies to invest in getting the design right.
Does this apply to you?
Open your website's cookie consent banner. Count the clicks to accept all cookies. Now count the clicks to reject all cookies. If those numbers are different, you have the same exposure Honda had.
Then check your DSAR intake form. Does it ask for the same information regardless of request type? If an opt-out request requires a name, address, phone number, and government ID — you're over-collecting, and CalPrivacy considers that discouraging consumers from exercising their rights.
// Free CCPA gap assessment — we'll review your consent UX and DSAR intake workflow for dark patterns and over-verification. 60 minutes, 48-hour gap report.