California AG Conducts Investigative Sweep of Location Data Industry

Want to receive these privacy recaps in your inbox each week? Subscribe here.

USA

California AG Conducts Investigative Sweep of Location Data Industry

California Attorney General Bonta announced that it is sending letters to advertising networks, mobile app providers, and data brokers who may be in violation of the California Consumer Privacy Act (the CCPA), focusing on how businesses offer and effectuate consumers’ right to limit the use of their sensitive personal information, including geolocation data.  

TAKEAWAY

Geolocation data appears to be a common area of enforcement focus so far in 2025, beyond the California Attorney General’s office. The Texas Attorney General’s office filed an action against Allstate in late January 2025 over the collection of location and driving data from users of third-party apps without sufficient privacy disclosure or consent. In the same week, the FTC filed a complaint against General Motors and finalized orders with data brokers Mobilewalla and Gravy Analytics, all over the sale of sensitive location data to third parties without user consent. The California AG announcement cites federal threats to California’s immigrant communities and to reproductive and gender-affirming healthcare as sources of risk from the sale of location data and reasons for this focus.

Honda To Pay $632,500 and Change its Practices to Settle CPPA Claims

The California Privacy Protection Agency (CPPA) announced a settlement with Honda over allegations that the company violated the California Consumer Privacy Act, including by (a) requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit; (b) using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way; (c) making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and (d) sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

In addition to paying a $632,500 fine, Honda will be required to implement a new and simpler process for Californians to assert their privacy rights, including by consulting a user experience (UX) designer to evaluate its methods.

TAKEAWAY

The settlement arose from an ongoing investigation of connected vehicle manufacturers and related technologies announced by the CPPA in July 2023. Some of the specific allegations and expectations in the settlement, however, reflect more recent advice given by the CPPA in enforcement advisories issued in April and September 2024.

In the April advisory, titled “Applying Data Minimization to Consumer Requests” the CPPA observed that certain businesses were asking consumers to provide “excessive and unnecessary personal information” in response to consumer requests under CCPA, in particular when responding to a request to opt out of sale/sharing. The advisory provided the example that “if Business A sells or shares a consumer’s online activities only in the context of cross-context behavioral advertising, then Business A would not need additional information, such as name or email address, to comply with a consumer request to opt-out of sale or sharing made by way of an opt-out preference signal.”

The September advisory, titled “Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice“, highlighted enforcement observations where consent user interfaces or “choice architectures” have the substantial effect of subverting or impairing a consumer’s autonomy, including when the business’s process for opting out of the sale/sharing of personal information takes more steps than the process to opt back in or when the path to exercise a more privacy-protective option is longer or more difficult than the path to exercise a less privacy-protective option (referred to as “symmetry in choice”, such as when the opt-in process only gives the choice of “yes” or “ask me later” (rather than “yes” or “no”)).

Therefore, although this settlement targeted a company in the connected vehicle space, companies across industries may be smart to take a second look at those April and September 2024 enforcement advisories and ensure their privacy user experience aligns with CPPA expectations. 

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.