California’s Most Recent Privacy Developments: Location Data Investigative Sweep and a Continued Focus on Car Companies

California’s Most Recent Privacy Developments: Location Data Investigative Sweep and a Continued Focus on Car Companies

Blog WilmerHale Privacy and Cybersecurity Law

In a press release on March 10, 2025, California Attorney General (“California AG”) Rob Bonta announced an investigative sweep focusing on California Consumer Protection Act (“CCPA”) compliance within the location data industry. The announcement focused on how businesses offer and respond to certain consumer rights requests to limit or opt out of the sale and sharing of sensitive personal information, which includes geolocation data. Notably, this investigative sweep is consistent with a recent California legislature bill proposal that includes prohibitions on the collection and usage of location information. It also follows the line of previous investigative inquiries into suspected CCPA violations by advertising networks, mobile app providers, and data brokers.

Two days later on March 12, 2025, the California Privacy Protection Agency (CPPA or “the Agency”) announced a settlement with American Honda Motor Co. (“Honda” or “the Company”) over alleged privacy violations in how the Company complied with CCPA obligations for consumer privacy rights and disclosing data to third-party advertising companies. This Honda settlement aligns with the Agency’s ongoing inquiry into connected vehicles and their data practices, which started in July 2023. As stipulated in the final order (the “Order”), Honda must pay a fine of $632,500 and update several of its data practices relating to information from website users and drivers, including location data, such as how consumers exercise their privacy rights and the Company’s contractual obligations for third-party advertising companies.  

We have provided some key takeaways for companies to consider as part of their CCPA compliance programs and summarized key provisions from the press release and CPPA settlement below. We are happy to answer any questions you might have about your company’s handling of sensitive data or how these developments may impact your operations. To keep up to date on the latest data privacy and cybersecurity developments, please subscribe to the WilmerHale Cybersecurity and Privacy Law Blog.

Key Takeaways

The announcement of the investigative sweep and the CPPA enforcement action taken together illustrate the importance of CCPA compliance across all data practices, but especially when consumers’ sensitive data—like location data—is implicated. Location data, as a subcategory of sensitive data, has been an area of heightened focus for state and federal regulators, as evidenced by recent FTC consent orders, the DOJ Sensitive Data Transfers Rule, and the Texas AG’s lawsuit against AllState for its practices using consumers’ location data. In our biweekly analysis of newly introduced state comprehensive privacy bills, we have also noted a trend among new bills that recognize location data as either “sensitive data” or “personal data” specifically protected by state regulations.

In light of these developments, there are several data practice points that companies should consider, such as:

  • Evaluating data practices that relate to sensitive information, particularly location information. The AG’s press release emphasizes that companies need to provide consumers with an accessible format to submit CCPA requests, particularly opt-out requests. This means that companies should provide consumers using mobile devices with an opt-out choice through a “Do Not Sell or Share My Personal Information” link or settings available in the app itself.
  • Paying attention to the details in CCPA consumer rights requirements. For example, the AG’s press release highlights how long companies must wait (12 months) after a consumer opts out of sharing/selling of data before they can be asked again. The CPPA Order emphasizes that details matter when implementing statutory requirements in its discussion of choice symmetry. Companies should assess the user experience for opting in and opting out of the selling/sharing of their data, down to the number of clicks needed to achieve either outcome.
  • Knowing which CCPA consumer rights require verification of the consumer and which do not (and updating the request process accordingly). Speaking of details, the CPPA Order distinguishes between consumer requests that require the business to verify that the consumer making the request is correctly related to the collected information (i.e., the Requests to Delete, Requests to Correct, and Requests to Know) and requests that do not require consumer verification (i.e., the Requests to Opt-Out of Sale/Sharing and Requests to Limit Disclosure of Sensitive Information). The CPPA explains that there is little consumer harm if the wrong person submits a request to opt-out or limit, so companies should not be unnecessarily collecting extra consumer data to verify the identity for those requests.
  • Confirming that contracts are in place with any third-party advertisers that receive personal information from the company. According to the CPPA, these contracts are necessary to ensure that the third-party advertisers provide the same level of privacy protection as required of companies by the CCPA. As described in the Order, these contracts must:

1. Identify the limited and specified purposes for which the Personal Information can be used;

2. Limit the recipient company’s use of the Personal Information for only those purposes; and

3. Require the recipient company to comply with the CCPA, among other things.

Summary of the Investigative Sweep Announcement

AG Bonta’s press release emphasizes the urgency of understanding how location data is collected and disclosed because it “can be used to track individuals’ movements or identify them with precision—including when they visit sensitive locations and where they live” and that “[a] wide variety of third-party apps collect location data from mobile devices and consumers may share this data without realizing it.” This investigative sweep places particular focus on how consumers can exercise their rights to opt out of the selling/sharing of their personal information and limit the location data collected by their devices:

  • Regarding opt-out rights, the sweep widens the aperture from the AG’s 2023 inquiry into mobile apps’ CCPA compliance to include mobile app providers, advertising networks, and data brokers reflecting the California AG’s broader thinking about CCPA compliance in the location data privacy landscape. The press release reiterates the CCPA’s obligations regarding honoring opt-outs in a timely manner and providing opt-outs through links or mobile app settings.
  • Regarding limiting the use of sensitive information, the press release also offers specific consumer guidance on how to limit the tracking features on mobile devices and protect location data. Some of the recommendations included reviewing and adjusting location permissions, disabling mobile advertising identifiers (a unique identifier associated with a phone used to track online activity), and adjusting Wi-Fi and Bluetooth settings which may also inadvertently reveal a consumer’s location.

Summary of the CPPA Enforcement Action

Factual Allegations

The CPPA began its investigation into Honda’s CCPA compliance practices on July 31, 2023; a year and a half later, it finalized the settlement. The CPPA organized the factual findings into four general allegations in the Order.

First, based on the Company’s use of the same consumer privacy rights request form for all CCPA-recognized rights, the Agency alleges that the Company’s “process for submitting CCPA requests fail[s] to distinguish requests that required verification and those that d[o] not.” This approach means that the Company collects more information than is necessary from consumers who want to opt out of the sale/sharing of their personal information (“Request to Opt-Out of Sale/Sharing”) or limit the use and disclosure of personal information (“Request to Limit”), as the requests to exercise these rights do not require a company to verify the identity of the consumer making the request.

Second, according to the allegations in the Order, the Company unnecessarily requires consumers to directly confirm they provided permission to Authorized Agents for Requests to Opt-Out of Sale/Sharing and Requests to Limit. The process to appoint an Authorized Agent only identifies contact information for the consumer and not the agent.

Third, the Company’s cookie management tool (provided by popular privacy choices management platform, OneTrust), allegedly does not present symmetrical processes for submitting a Request to Opt-Out of Sale/Sharing and submitting a request to opt-in if the consumer later changes their mind. The Order explains how a consumer must go through two steps to opt-out: 1. Click the default “active” toggle to OFF for “Performance Cookies,” “Functional Cookies,” and “Advertising Cookies,” then 2. Click “Confirm My Choices.” By contract, if a consumer has opted out and decides they want to opt back in, they only have to do one step of clicking “Allow All” on the cookies preferences application.

Fourth, the Order alleges that while the Company sells, shares, or discloses the personal information it collects from consumers to third-party advertising companies, it could not produce the contracts with these companies, as required by the CCPA.

Settlement and Orders

The settlement includes both an administrative fine of $632,500 and requires actions from the Company to bring its data practices into compliance with the law, according to the Order.

Within 90 days of the Order’s effective date, the Company must 1) change the method for consumers to submit Requests to Opt-Out of Sale/Sharing and Requests to Limit by revising the data collected for the request only to what is needed and separating these requests from Verifiable Consumer Requests that require more consumer information and 2) change the process for Authorized Agents submitting CCPA requests so agents provide their contact information and consumers do not have to directly confirm that they have given the agent permission to submit Requests to Opt-Out of Sale/Sharing and Limit.

Within 180 days of the Order’s effective date, the Company must 1) add the link to manage cookie preferences within its Privacy Center, Privacy Policy, and footers on privacy webpages; 2) add a “Reject All” button to balance the “Allow All” button on the cookie management platform, and 3) recognize the Global Privacy Control for known consumers.

Additionally, the Order stipulates that the Company:

  • Consult an in-house or external user experience (UX) designer to evaluate the process for submitting CCPA requests to ensure it is “easy to use and avoid[s] language and interactive elements that are confusing to a reasonable Consumer.” This evaluation should include methods such as A/B testing to understand user behavior.
  • Provide updated CCPA training to all personnel handling CCPA requests.
  • Modify its contract oversight practices to confirm that all required contractual terms are in place with the third-party recipients of consumers’ data.
  • Annually post metrics relating to the number of privacy rights requests received and the median or mean number of days the Company took to “substantively respond,” in compliance with Sec. 7102 in the CCPA’s regulations.

Authors

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel