Key Takeaways: The California Consumer Privacy Act (“CCPA”) is the most stringent privacy law currently enforced in the United States. As the recent enforcement actions under the CCPA and California Delete Act have demonstrated, California privacy regulators have proven they are not afraid to punish such violations.

Over the past few months, the California Privacy Protection Agency Board and the California Attorney General have been cracking down on violations of the California Consumer Privacy Act of 2018 (“CCPA”) and the California Delete Act. The most notable of these enforcement actions are summarized below.

Honda Settles with California Privacy Protection Agency (“CPPA”) for $632,500^[1]

The CPPA Board announced a settlement with Honda on March 12, 2025, following an investigation into Honda’s CCPA compliance that had begun in July 2023. The Board assessed Honda’s data privacy practices spanning from January 1, 2023 to November 20, 2024 and identified multiple violations of the CCPA that occurred during this period.

Under the CCPA, consumers have the right to opt out of the sale or sharing of their personal data with businesses and other data processors. Although Honda allowed consumers to exercise this right, Honda’s opt-out process additionally required the consumer to “verify” his or her identity by sharing several pieces of additional information.

For some consumer requests under the CCPA, a business may request additional information to verify the consumer’s identity before processing the request. Verifiable consumer requests include requests to delete, requests to correct, and requests to know. Such verification is only permitted to the extent necessary for the business to ensure it has the data of the consumer in question. CCPA does not permit businesses to require verification for requests to opt out of sale or sharing or requests to limit.

During the investigation into Honda, the CPPA Board also found that Honda did not offer symmetrical privacy choices on its website. The concept of symmetrical privacy choices means that the number of steps required to opt out of information sharing should be equal to the number of steps it takes a consumer to opt in to information sharing. Honda’s website allows consumers to “accept all” cookies and share personal information with just one click, whereas opting out of the cookies requires at least two clicks.

To resolve these violations, Honda was required to pay an administrative fine of $632,500 and modify its privacy practices to address the noncompliance identified by the CPPA Board.

California Attorney General Conducts Investigative Sweep of Location Data Industry^[2]

On March 10, 2025, California Attorney General Rob Bonta announced an ongoing investigative sweep into the location data industry. The California Attorney General’s Office sent letters to advertising networks, mobile app providers, and data brokers that appeared to be in violation of the CCPA’s requirements regarding precise geolocation data, which is considered sensitive data under CCPA. Under the CCPA, consumers can request that a business use their sensitive data only for limited purposes, such as providing requested services. The letters serve to notify recipients of their potential violations and request additional information about the recipient’s business practices related to personal data.

Geolocation data has become increasingly relevant and readily available as modern technology continues to evolve and has become an enforcement priority for several states as well as the Federal Trade Commission (“FTC”). Where a person travels in the course of a day can give insight into what is going on in that person’s life and can identify, with precision, where a person spends their time as well as their visits to sensitive destinations. As Attorney General Bonta stated in the announcement of this investigative sweep, “Each day, we give off a steady stream of data that broadcasts not only who we are, but where we go. This location is deeply personal … Given the federal assaults on immigrant communities, as well as gender-affirming healthcare and abortion, businesses must take the responsibility to protect location data seriously.”

CPPA Calls Out Data Brokers That Fail to Follow California Delete Act^[3]

The California Delete Act requires all data brokers that collect personal data of California residents to register for the California Data Broker Registry, which includes the payment of a registration fee as well as submission of information regarding the business data collection practices. This ensures that “data brokers aren’t operating in the dark,” according to CPPA’s head of enforcement, Michael Macko. On October 30, 2024, the CPPA began an investigative sweep of data broker registration compliance. Businesses operating as data brokers in 2024 had to register by January 31, 2025, or face fines of $200 for each day they remained noncompliant.

There are two noteworthy violations made public to date. The first is a $46,000 fine sought from Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker. National Public Data failed to register and pay the annual registration fee required under the Delete Act.  Businesses that operated as data brokers in 2023 had until January 31, 2024 to register with the CPPA. National Public Data did not register until September 18, 2024 – 230 days past the deadline. The $46,000 fine was calculated as $200 for each day National Public Data remained unregistered after the January 31, 2024 deadline.

The second noteworthy violation was assessed against Background Alert, Inc., a California-based data broker that also failed to pay the annual registration fee per the Delete Act. Background Alert creates and sells profiles of individuals on its website, backgroundalert.com. The company attracted customers by saying, “It’s crazy how much information you can dig up on someone.” Per CPPA enforcement, Background Alert is required to cease its data broker operations through 2028. If it does not comply, it must pay a $50,000 fine.

CPPA Issues Fine for Consumer Request Violations^[4]

On May 6, 2025, the CPPA Board issued a Stipulated Final Order requiring clothing retailer Todd Snyder, Inc. (“Todd Snyder”) to pay a $345,178 fine to resolve allegations that the business had violated CCPA. Todd Snyder will also be required to change its consumer request process to align with CCPA requirements.

The CPPA Enforcement Division alleged that Todd Snyder violated the CCPA by (i) failing to oversee and properly configure its consumer request portal; (ii) requiring consumers to submit more information than necessary in order to process their privacy requests; and (iii) requiring consumers to verify their identify in order to opt out of the sale or sharing of their information.

Todd Snyder utilized a third-party privacy management tool for its consumer request portal, which is permitted under the CCPA, but failed to verify that the tool was operating correctly. For a 40-day period in late 2023, problems in the configuration of the tool resulted in consumers being unable to select their cookie preferences or submit requests to opt out of the sale or sharing of their data. The tool was also unable to process requests submitted through opt-out preference signals such as Global Privacy Control.

Separately, Todd Snyder required consumers to include a photo of themselves holding an “identity document” in order to submit any consumer request under CCPA, including requests to opt out of sale or sharing. As noted above, CCPA does not allow businesses to require verification prior to processing a request to opt out of sale or sharing. Further, government identification, such as a driver’s license or state identification card, is considered sensitive personal information under the CCPA. When verifying a request or a consumer’s identity in connection with a request, CCPA requires businesses to avoid requesting more information than necessary, and to avoid collecting sensitive information such as government identification unless necessary for the purpose of verifying the consumer.

As set forth in the Stipulated Final Order, Todd Snyder must revise its consumer request process to comply with CCPA requirements. This includes no longer requiring consumers to verify their requests to opt out of sale or sharing or requiring consumers to provide a photo of their government identification in connection with their request. Todd Snyder must also establish and implement policies, procedures, and technical measures designed to monitor the effectiveness and functionality of its consumer request portal.

Koley Jessen is committed to staying informed about developments related to state data privacy law compliance and will offer guidance as new information emerges. If you are unsure about your business' compliance needs, please contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for assistance.

^{*Special thanks to summer associate Sydney Mallum for her contributions to this article.}

^{[1] https://cppa.ca.gov/announcements/2025/20250312.html}

^{[2] https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-investigative-sweep-location-data-industry}

^{[3] https://cppa.ca.gov/announcements/2025/20250227.html; https://cppa.ca.gov/announcements/2025/20250220.html}

^{[4] https://cppa.ca.gov/pdf/20250501_snyder_order.pdf}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}