New CPPA Decision Means Businesses Must Review Their Privacy Compliance Processes and Consent Management Tools
What Happened?
The California Privacy Protection Agency (CPPA) issued a settlement order on March 12, 2025, with an vehicle manufacturer regarding its investigation of its privacy practices, where it agreed to a $632,500 settlement for 150 consumer violations. The vehicle manufacturer also agreed as part of the settlement to address its ongoing privacy compliance practices.
Why is This Important to Privacy Practitioners?
Many other organizations operating as businesses under the California Consumer Privacy Act (CCPA) likely have similar implementations as they attempt to comply with the increasingly complex patchwork quilt of a growing number of state privacy laws and through reliance on key privacy vendors' implementation.
The CPPA is no longer bringing enforcement actions against companies that fail to implement the CCPA. Instead, it is requiring companies to implement the nuances of the CCPA in their compliance processes.
What Do You Need to Know?
Below is a high-level summary of the CPPA "Order."
One Trust Consumer Privacy Request Form
- The One Trust Consumer Privacy Request Form merged all data subject requests, including Do Not Sell or Share My Information/ Requests to Limit Opt-Out Requests. According to the CPPA, this form required too much information for an opt-out request amounting to verification of an opt-out request.
- As a reminder under the CCPA and its implementing regulations, opt-out requests are not verifiable.
- The Order requires that CPPA businesses only require consumers making a Request to Opt-Out of a Sale/Sharing and Request to Limit to provide information necessary to process the request. Your organization should check to see what data you need for your internal systems to verify.
Verification Steps for Opt-Outs of Sale and Sharing Consumer Information
- Similarly, additional steps were required to verify an authorized agent opting out of the sale or sharing of a consumer’s information or right to limit. As a reminder, the CCPA and its implementing regulations do not allow these verification steps as the "potential harm to consumers resulting from an imposter accessing, deleting or changing personal information maintained by business in minimal or nonexistent for Requests to Opt-Out of Sharing/Selling or Requests to Limit."
One Trust Cookie Tool
- The CPPA also criticized the consent management tool optionality which allowed consumers to "Allow All" cookies after they made a choice turned off certain cookies. The CPPA found this implementation to be confusing to consumers.
- In addition, the CPPA clearly stated in the Order that cookie banners must have a "Decline All" functionality button and the right to manage cookie preferences should be within a Privacy Choice Center and Privacy Policy.
- Finally, under the Order, the vehicle manufacturer is required to consult a user experience designer, to evaluate its methods for submitting data subject rights requests and to make recommendations on how to ensure that methods for submitting such requests are easy to use to a reasonable consumer.
CPPA Contractual Agreements
- In the Order, the CPPA reiterated once again that CCPA businesses are required to have contractual agreements in place with service providers and third-party vendors that satisfy the CCPA regulatory requirements and be able to produce these documents upon demand.
Next Steps
To meet these requirements, in light of this decision we recommend that CCPA businesses review data subject rights processes, consent management tool implementations, and service provider and third-party contracts.
Reliance on vendors that shift compliance legal burdens on your organization will not prevent CPPA investigations or subsequent CCPA violations. Across the complex patchwork quilt of US state privacy laws, we expect other state enforcement agencies to follow California’s lead.