CalPrivacy Fines Ford Motor Company $375,703 for Adding Friction to the CCPA Opt-Out Process
On March 5, 2026, the California Privacy Protection Agency (CalPrivacy) announced a $375,703 settlement with Ford Motor Company over alleged violations of the California Consumer Privacy Act (CCPA). The violation at issue is narrow but significant: Ford required consumers to complete an email verification step before it would process their request to opt out of the sale or sharing of their personal information, and under the CCPA, that is not permitted.
The Stipulated Final Order covers alleged conduct between July 1, 2023, and March 1, 2024. This is CalPrivacy’s fifth public enforcement action and the second to emerge from its ongoing investigative sweep of connected-vehicle manufacturers, following last year’s settlement with American Honda Motor Co.
What Ford Allegedly Did and Why It Was Unlawful
Ford provided consumers with an online consumer privacy rights form through which they could submit various CCPA rights requests, including requests to opt out of the sale and sharing of their personal information. After a consumer submitted the form, Ford displayed a “One More Step!” screen instructing them to check their email and click a confirmation link before Ford would begin processing the request. Consumers who did not complete the email verification step had their requests marked as “expired” and never processed, resulting in dozens of opt-out requests going unaddressed.
The CCPA draws a deliberate distinction between different types of consumer rights requests. Businesses may require identity verification before processing requests to delete, know, or correct personal information, including because such requests require the business to locate and act on specific records tied to an identified individual. Opt-out requests are categorically different. They are prospective instructions to stop a practice going forward. The CCPA explicitly prohibits requiring a verifiable consumer request for opt-outs, and requiring email confirmation before processing an opt-out request is precisely that. As CalPrivacy stated in the order, Ford could have processed those requests using the information already provided through the form, and, to the extent it was able to do so, it was required to do so.
As CalPrivacy’s head of enforcement, Michael Macko, put it: “Opting out is supposed to be easy. Just as unnecessary steps in the checkout process can discourage consumers from completing a purchase, unnecessary steps in the opt-out process can discourage consumers from exercising their privacy rights.”
The order also found that Ford continued to sell or share personal information for consumers who had submitted opt-out requests but not completed the verification step, a separate violation of Civil Code § 1798.120(d).
Notably, CalPrivacy found that Ford did not intend to impose a verifiable-consumer-request standard for opt-outs. The email confirmation language appears to have been an inadvertent configuration issue rather than a deliberate policy. Ford also cooperated with investigators and processed the outstanding opt-out requests once the investigation commenced. CalPrivacy credited those facts but did not excuse the violation.
Settlement Terms
In addition to the $375,703 fine, Ford must:
- Provide consumers with opt-out methods that are easy to use and require minimal steps, for both its digital properties and connected vehicle services
- Stop requiring email verification or any other identity confirmation step before processing opt-out requests
- Honor opt-out requests within the timeframe required by the CCPA
- Conduct an audit of all tracking technologies on its website, including cookies, web beacons, and pixels, and ensure they are properly configured to honor opt-out preference signals, including the Global Privacy Control (GPC)
Ford must confirm in writing to CalPrivacy that it has completed these steps within 90 days of the order taking effect.
The Connected Vehicle Sweep and a Broader Warning
As Hunton Andrews Kurth observed, the Ford settlement is the second outcome of CalPrivacy’s announced sweep of connected-vehicle manufacturers, and the agency has signaled that this sector will continue to receive targeted scrutiny. Connected vehicles present particular complexity: they collect data continuously, passively, and often across multiple individuals, drivers, passengers, and registered vehicle owners, all of whom may have different privacy expectations and rights.
The Ford action also carries a warning well beyond the automotive sector. As Lowenstein Sandler noted in their analysis, email verification before opt-out processing is a common default configuration in many widely deployed consent management platforms and vendor-provided privacy rights tools. Businesses that use off-the-shelf systems may have unknowingly inherited this exact compliance gap. Relying on vendor defaults is not a defense, as CalPrivacy’s order makes that clear.
The principle the agency is enforcing is straightforward: the ease of exercising a privacy right must be commensurate with the ease of data collection. If your system collects data without friction, your opt-out process cannot introduce friction that data collection does not require. This is consistent with the agency’s findings in the PlayOn Sports enforcement action, where CalPrivacy found that forcing consumers to click “Agree” before accessing already-purchased tickets constituted impermissible coercive consent.
Key Compliance Takeaways
Opt-outs require a different workflow than other rights requests. Businesses must configure their consumer rights platforms to treat opt-out requests separately from delete, know, and correct requests. If your system routes all requests through the same verification workflow, that is likely a CCPA violation.
Audit your consent management platform and vendor tools. Do not assume that your CMP or privacy rights vendor has configured opt-out flows correctly. Verify explicitly, in writing, that opt-out requests will be processed without identity verification.
Honor opt-out requests with the information already provided. To the extent a consumer has already submitted sufficient information to identify whose data should stop being sold or shared, the CCPA requires you to act on that, and you generally cannot require additional confirmation as a condition of compliance.
GPC compliance remains a priority. CalPrivacy again required a tracking technology audit and GPC implementation as part of this settlement, consistent with every prior enforcement action. If your website or app does not recognize and honor opt-out preference signals, you may not be compliant. Our GPC and Universal Opt-Out Mechanism compliance page covers what proper implementation looks like.
Conclusion
The Ford settlement is a reminder that CCPA compliance failures are not always the result of deliberate non-compliance and that they can arise from vendor defaults, inadvertent configurations, or process designs that were never reviewed against the specific requirements of the opt-out right. The result is the same regardless of intent. As CalPrivacy continues its connected-vehicle sweep and maintains its focus on opt-out architecture across all sectors, any business that collects and shares consumers’ personal information should treat its consumer rights workflows as a live compliance risk, not a set-it-and-forget-it implementation.
