On March 12, the California Privacy Protection Agency (“CPPA”) announced an enforcement action against American Honda Motor Co. (“Honda”), with a $632,500 fine for violating the California Consumer Privacy Act and its implementing regulations (“CCPA”).[1]  This action, which is the CCPA’s first non-data broker action, arose in connection with the Enforcement Division’s ongoing investigative sweep of connected vehicle manufacturers and related technologies, and serves as a cautionary tale for companies handling consumer personal information, highlighting the stringent requirements of the CCPA and the consequences of non-compliance.

Alleged CCPA Violations

In connection with its review of Honda’s data privacy practices, the CPPA’s Enforcement Division concluded that Honda violated the CCPA’s requirements by:

1. Placing an undue burden on consumers, requiring Californians to verify their identity and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
2. Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights;
3. Employing dark patterns, by using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way; and
4. Sharing consumers’ personal information with ad tech companies without contracts that contain the necessary terms to protect privacy.

Below, we summarize the conduct giving rise to the alleged violations, and provide practical tips for businesses to consider for implementation.

1. Undue Burden on Requests to Opt-Out of Sale/Sharing and Requests to Limit

According to the Stipulated Final Order, Honda provided consumers with the same webform to submit all of their CCPA privacy rights requests irrespective of whether the requests required identity verification or not, in violation of the CCPA. Specifically, the CCPA distinguishes between privacy rights that permit a business to conduct prior identity verification (e.g., rights to know/access, correct and delete) and those that do not (e.g., rights to opt-out of data sales or “sharing” and to limit the use and disclosure of sensitive personal information), meaning businesses are prohibited from requiring consumers to verify their identities before actioning opt-out or limitation requests.[2] 

In reviewing Honda’s practices, the CPPA found that the use of the same webform for all privacy rights requests, and in turn by requiring personal information be provided before honoring opt-out and limitation requests, Honda imposed an unlawful verification standard on California consumers.  In addition, the CPPA further found that the webform required consumers to provide more information than necessary[3] for Honda to verify requests to access, delete and change their data.  Accordingly, the CPPA found that Honda’s webform was unduly burdensome, interfering with the ability of consumers to exercise their rights thereby violating the CCPA.

• Practice Tip.  Businesses covered by the CCPA should review their consumer rights requests processes and methods to confirm that they do not require verification in order for consumers to submit consumer opt-out and limitation requests, and should further limit the information required to be provided by consumers in order to submit other privacy rights requests to only the information truly necessary to confirm the identity of the requestor.

2. Undue Burden on Exercise of CCPA Rights through Authorized Agents

Similar to the allegations above, the second alleged violation arose in connection with Honda’s practice of requiring consumers to directly confirm that they had given permission to their authorized agents to submit opt-out and limitation requests on their behalf. 

Under the CCPA, consumers can authorize other persons or entities to exercise their aforementioned rights, and, as above, the CCPA prohibits verification requirements for rights to opt-out and limit.  While businesses may require authorized agents to provide proof of authorization, the CCPA prohibits requiring consumers to directly confirm that authorized agents have their permission.  Instead, businesses are only allowed to contact consumers directly to check authorization, provided this relates to requests to know/access, correct or delete personal information.

Despite these requirements, because Honda’s process for submitting CCPA privacy rights requests did not distinguish between verifiable and non-verifiable requests, and Honda sent confirmatory correspondence directly to consumers to confirm they had given permission to the authorized agent for all such privacy requests, the CPPA found Honda in violation of the CCPA.

• Practice Tip.  As above, businesses should audit their consumer rights requests procedures and mechanisms to ensure that they do not impose verification requirements, including those related to the use of authorized agents, in connection with opt-out and limitation requests.

3. Asymmetry in Cookie Management Tool

The third alleged violation regards Honda’s use of a cookie consent management tool on its website used to effectuate consumer requests to opt-out of personal information “sharing”, which was configured to opt consumers in by default.

Specifically, through the OneTrust cookie consent management tool utilized on Honda’s websites, consumers were automatically opted-in to the “sharing” of their personal information by default as shown below.  To opt-out, consumers were required to take multiple steps (i.e., to toggle the button to turn off cookies and then confirm their choices) while opting in required either no steps or, assuming a consumer were to decide to opt back in after opting out, only one step to “allow all” cookies.

 The CCPA requires business to design and implement methods for submitting CCPA requests that are easy to understand, provide symmetrical choices and avoid confusing language, interactive elements or choice architecture that impairs one’s ability to make a choice and are easy to execute.  Here, the CPPA focused specifically on providing symmetrical choices, meaning that the path for a consumer to exercise a more privacy-protective option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer’s ability to make a choice.  The Stipulated Final Order went further to confirm that a website banner that provides only two options when seeking consumers’ consent to use their personal information—such as “Accept All” and “More Information,” or “Accept All” and “Preferences”—is not equal or symmetrical.

• Practice Tip.  Businesses must audit their cookie consent management tools to ensure that consumers are not opted-in to data “sales” or “sharing” by default, and that the tool does not require a consumer to take more steps to effectuate consumer opt-out requests than to opt-in.  Moreover, cookie consent management tools that present only two options should allow consumers to either “accept” or “reject” all cookies (rather than presenting the option to “accept” and another option that is not full rejection (such as to receive more information or go to a “preferences” page)).

4. Absence of Contractual Safeguards with Vendors

Finally, the CPPA alleged that although Honda disclosed consumer personal information to third-party advertising technology vendors in situations where such disclosure was a “sale” or “sharing” under the CCPA, it failed to enter into a CCPA-compliant contract with such vendors.  Specifically, businesses that “sell” or “share” personal information to or with a third party must enter into agreements containing explicit provisions prescribed by the CCPA to ensure protection of consumers’ personal information. The CPPA found that by failing to implement such contractual safeguards, Honda placed consumers’ personal information at risk.

• Practice Tip.  Businesses should audit all contracts pursuant to which consumer personal information is disclosed or otherwise made available to third parties, particularly third-party advertising technology vendors, to ensure the provisions required by the CCPA are included.

Enforcement Remedies

In addition to a $632,500 fine[4], the Stipulated Final Order requires Honda to (1) modify its methods for consumers to submit CCPA requests, including with respect to its method for the submission and confirmation of CCPA requests by authorized agents, (2) change its cookie preference tool to avoid dark patterns and ensure symmetry in choice, (3) ensure all personnel handling CCPA requests are adequately trained and (4) enter into compliant contracts with all external recipients of consumer personal information within 180 days.

Conclusion

The enforcement action against Honda underscores the importance of strict compliance with the CCPA. Businesses must ensure that their processes for handling consumer privacy requests are straightforward, do not require unnecessary information, and provide equal choice options, and must enter into CCPA compliant contracts prior to and in connection with the disclosure of consumer personal information to third parties.

---

[1] The Stipulated Final Order (the “Stipulated Final Order”) can be found here.

[2] Under the CCPA, businesses can verify requests to delete, correct and know personal information of consumers because of the potential harm to consumers from imposters accessing, deleting or changing their personal information; conversely, requests to opt-out of sale or sharing and requests to limit use and disclosure are prohibited from having a verification requirement because of the minimal potential harm to consumers.  Accordingly, while businesses may ask for additional information in connection with such requests to identify the relevant data in their systems, they cannot ask for more information than necessary to process such requests and, to the extent they can comply without additional information, they must do so.

[3] Specifically, the form required consumers to provide their first name, last name, address, city, state, zip code, email address and phone number, although Honda “need[ed] only two data points from [the relevant] consumer to identify [them] within its database.” 

[4] Notably, the Stipulated Final Order details the number of consumers whose rights were implicated by some of Honda’s practices, serving as a reminder to businesses that CCPA fines apply on a per violation basis.

Last week, the New York legislature passed the New York Health Information Privacy Act (S929) (“NYHIPA” or the “Act”)[1]. The Act, which is currently awaiting the Governor’s signature, seeks to regulate the collection, sale and processing of healthcare information, akin to Washington’s My Health My Data Act.

Importantly, the Act as currently drafted is very broad and may have far-reaching consequences giving rise to extensive compliance obligations, including as a result of the fact that it (i) extends to non-health related data, (ii) does not contain applicability thresholds based on the number of individuals whose data is processed, or the type of activity carried out, by the regulated entity, (iii) requires minimal nexus to New York and applies to non-New York entities that process non-New York residents’ data, and (iv) applies to information collected in the context of employment and business-to business relationships. If signed by the Governor, the Act will go into effect one year after it becomes law.

Below, we provide an overview of the broad categories of entities and data subject to NYHIPA, the key compliance obligations and consumer rights provided, and what businesses need to know in order to comply.

Who and What is Covered by the Act?

Regulated Health Information.  The Act covers a wide range of data given the broad definition of “regulated health information.” Specifically, “regulated health information” includes “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual” (the foregoing referred to herein as “RHI”); by definition, RHI does not include “deidentified information,”[2] protected health information (“PHI”) governed by HIPAA or information collected as part of a clinical trial. The Act’s provisions also apply to seemingly non-health related data, such as location information and payment information collected in connection with health-related products or services, as well any inference that can be drawn or derived therefrom.

Accordingly, the Act as drafted implicates a significant amount of information and, as further discussed below, given the absence of applicability thresholds (e.g., based on the number of New York residents whose data is processed), applies to a vast number of entities. RHI is not limited to medical records, but covers biometric data, genetic information, and even information that could identify a person indirectly. Additionally, since the Act lacks a definition of “individual,” it arguably applies to information collected in the context of commercial and employment relationships unlike typical U.S. state privacy laws, expanding the compliance obligations of entities both within and outside New York’s borders.

Regulated Entities. In a stark contrast to the processing thresholds advanced by other US privacy laws, the Act defines a regulated entity as any entity that:

1. Controls the processing of RHI of an individual who is a New York resident;
2. Controls the processing of RHI of an individual who is physically present in New York, or
3. Is located in New York and controls the processing of RHI.

Excluded from coverage are local, state, and federal governments and municipal corporations (given that any information they process is exempt from the Act’s reach), as well as HIPAA covered entities solely to the extent they maintain patient information in the same manner as PHI. Additionally there is no exemption for nonprofits or entities regulated by the GLBA, meaning additional restrictions may be imposed on the financial information they collect (e.g., payment transactions relating to physical or mental health, or from which inferences can be drawn) to the extent processed in connection with health-related purposes.

Unlike other state privacy laws enacted to date, the Act’s extraterritorial application will impact many organizations beyond those that conduct business in New York as, even if the entity itself is located outside the state, its activities will be subject to the Act so long as it processes RHI regarding individuals (not even necessarily state residents) physically present in New York.   Further, individuals beyond New York residents may benefit from the Act’s protections, given that any entity located in New York will be covered by the Act regardless of where the individual whose RHI is processed is domiciled.

Compliance Obligations

Entities subject to typical U.S. consumer privacy laws will recognize a number of familiar obligations imposed by NYHIPA, including:

1. Obligations to provide a publicly available privacy policy through a regularly used interface (e.g., a website or platform) informing such individual what RHI will be collected, the nature and purpose of processing, to whom and for what purposes RHI will be disclosed, and how consumers can request access to or deletion of their RHI;

2. Restrictions on “selling”[3] RHI;

• Notably, it is unclear whether, based on the current drafting of the Act, all “sales” of RHI are expressly prohibited (other than in the context of business transactions), as the exceptions that would seem to be appropriate (i.e., where an individual provides a valid authorization or the processing is otherwise necessary for a permitted purpose) are not clearly provided with respect to RHI sales and instead only appear to be tied to other types of RHI processing.  Such exceptions would appear to be appropriate in the context of “sales”, given that reading the Act any other way appears to suggest that any sharing of RHI is prohibited where valuable consideration is provided in exchange.  By way of example, if no such exceptions apply, then there is a risk that regulated entities would be prohibited from providing RHI to their service providers if that would be considered, under a broad interpretation of “sale”, sharing RHI for “valuable consideration”  (i.e., the relevant services).

3. Restrictions on otherwise processing RHI unless (a) the covered entity obtains valid authorization as governed by the Act, detailed further below, (which must be easily revocable at any time) or (b) the processing is “strictly necessary” for one of seven specific purposes enumerated in the Act (e.g., to provide the product or service requested, to comply with legal obligations, for internal business operations excluding marketing);

4. Providing individuals access and deletion rights, including by providing an easy mechanism by which individuals can effectuate such rights and allowing such requests to be made by an individual’s authorized agent, with which regulated entities must comply within 30 days;

• Deletion requests must also be passed to and honored by a regulated entity’s third party service providers.

5. Implementing reasonable administrative, physical, and technical safeguards to protect the confidentiality and security of RHI;

6. Securely disposing of RHI pursuant to a publicly available retention schedule, where disposal must occur no later than 60 days after retention is no longer necessary for the permissible purposes or for which consent was given; and

7. Entering into contracts with third party service providers, imposing equivalent confidentiality, information security, access and deletion obligations, as well as processing restrictions, as those imposed on the regulated entity under the Act.

Valid Authorization

While many U.S. state privacy laws contain prescriptive requirements regarding what constitutes consumer consent, NYHIPA goes a step further in providing not only a number of requirements on how an authorization must be presented to be valid, but also substantive requirements to include in authorization request forms. 

In order for an authorization to be considered valid, it must meet specific criteria including that the request: (i) must be made separately from any other transaction or part of a transaction, (ii) cannot be sought until at least twenty-four hours after an individual creates an account or first uses the requested product or service, (iii) cannot be obtained through a dark pattern, (iv) if made for multiple processing activities, must allow for specific authorization for each specific activity, and (v) cannot relate to an activity for which the individual has revoked or withheld consent in the past year.  Following trends set by recent privacy-related litigations, such as California wiretapping litigation, the Act makes clear that requests for consent must be specific to the particular processing activity, and cannot be bundled with other disclosures or consent requests.  Further, consent must be clearly communicated to the relevant individual, and freely revocable.

In terms of substantive requirements, the Act further requires that valid authorizations disclose the RHI to be collected and the purposes for which it will be processed, the names or categories of third parties with whom RHI will be disclosed (similar to the approaches taken in the Oregon and Delaware consumer privacy laws), any monetary or valuable consideration that may be received by the regulated entity, assurances that failure to consent will not affect an individual’s experience, the expiration date of the authorization, which may be up to one year from when authorization was provided and how the individual can revoke consent, how the individual can request access to or deletion and any other information material to the individual’s decision-making. Authorizations must also be executed by the individual, though can be done electronically. 

Enforcement

Enforcement rights under the Act are primarily vested in the New York AG, who has broad authority to investigate violations, and impose civil penalties on entities that engage, or are about to engage, in unlawful acts or practices under the NYHIPA.  The New York AG can commence an action within 6 years of becoming aware of the alleged violation, and, in addition to seeking an injunction, can seek civil penalties of not more than  $15,000 per violation or 20% of revenue obtained from New York consumers within  the  past  fiscal  year, whichever is greater, as well as any such other and further relief as the court may deem proper. The Act also contemplates rulemaking authority for the New York AG.

Conclusion

The applicability of NYHIPA is broad, covering a wide array of entities involved in the collection, use, and management of RHI within New York. To determine whether NYHIPA applies, an organization must evaluate its role in handling health information, the nature of the data it processes, and its geographic operations. Until now, state consumer privacy laws have been focused on comprehensive data privacy, designed on the Washington model. Perhaps New York is showing us a shift back to sectoral laws instead. At this current juncture, it is unclear whether Governor Hochul will sign the law as drafted given it is likely to be subject to a number of challenges, including on First Amendment grounds; Cleary Gottlieb will keep monitoring for updates.

---

[1] The text of the bill can be found here.

[2] “Deidentified information” under the Act has the same meaning provided under comprehensive U.S. state privacy laws (i.e., information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual, household or device, provided that the regulated entity or service provider (i) implements reasonable measures to prevent reidentification, (ii) publicly commits to process the information in deidentified form and not attempt to reidentify the information and (iii) imposes contractual obligations on third party recipients consistent with the foregoing (i)-(iii).

[3] “Sell” under the Act is defined as sharing RHI for monetary or other valuable consideration, exempting only sharing of RHI in the context of a business transaction in which a third party assumes control of all or part of the covered entity’s assets.