Built Ford Tough, But Not CCPA-Proof: California Issues $375K Privacy Fine

On March 5, the California Privacy Protection Agency (CPPA) announced a $375,703 administrative fine against Ford Motor Company over how it handled consumer opt-out requests under the California Consumer Privacy Act (CCPA).

The enforcement action signals that California regulators are willing to impose significant penalties even for relatively small compliance missteps that interfere with consumer privacy rights.

Under the CCPA, consumers have the right to opt out of the sale or sharing of their personal information at any time, and businesses cannot require a “verifiable consumer request” to exercise that right. Businesses may require verification when consumers exercise other rights, such as the right to know, delete, or correct personal information.

The regulations allow businesses to request information necessary to identify the consumer whose data should no longer be sold or shared, but if the business can honor the opt-out without additional information, it must do so.

Ford provided an online form for consumers to submit privacy requests, including opt-outs. After submission, however, Ford required consumers to confirm their email and identity before processing the request.

The CPPA concluded that this additional confirmation step created unnecessary friction and effectively turned the opt-out into a verifiable consumer request, which the regulations prohibit.

Ford also treated unconfirmed requests as “expired,” meaning some opt-out requests were never processed and the company continued selling or sharing personal information after consumers had directed it to stop.

For businesses, the decision highlights how closely regulators are examining the mechanics of privacy request workflows. Even routine design choices in a web form or request process can become compliance issues if they delay or complicate the exercise of consumer rights.