By: Avi Gesser, Johanna Skrzypczyk, Melyssa Eigen, Ned Terrace & Michelle Shen (Debevoise & Plimpton)
In this blog post, authors Avi Gesser, Johanna Skrzypczyk, Melyssa Eigen, Ned Terrace & Michelle Shen (Debevoise & Plimpton) discuss the California Privacy Protection Agency’s (CPPA) first public enforcement action under the California Consumer Privacy Act (CCPA). On March 12, 2025, the CPPA announced a stipulated decision and order following its investigation into American Honda Motor Company’s data privacy practices. Honda agreed to pay a $632,500 administrative fine and implement several compliance changes. Central to the decision were allegations that Honda’s cookie consent interface failed to provide users with a symmetrical choice, making it more difficult for consumers to opt out of data sharing than to accept tracking.
The authors highlight how this enforcement marks a broader regulatory trend toward scrutinizing cookies banners and consent mechanisms as potential “dark patterns”—designs that may undermine consumer choice. As more states implement privacy legislation, regulators are expected to view cookie management tools as a practical and visible target for enforcement. This case suggests that regulators may increasingly focus on the mechanics of how businesses collect consumer consent, particularly in the context of behavioral advertising and tracking.
Cookies, the authors explain, are small text files placed on a user’s browser, often used for analytics, functionality, and advertising. When cookies are used for cross-context behavioral advertising—such as showing ads to users based on activity across multiple websites—this constitutes “sharing” under the CCPA and “targeted advertising” under other U.S. state privacy laws. These laws require businesses to give consumers clear opt-out rights, which can be facilitated through cookie banners, privacy links, or browser-based signals like Global Privacy Control (GPC).
To comply with the CCPA, companies must ensure “symmetry of choice” in how cookie preferences are presented. This means that selecting the most privacy-protective option (like rejecting cookies) must not be more burdensome than accepting them. The CPPA found that Honda violated this standard by making it easier for users to consent to tracking than to opt out, and also failed to maintain compliant data processing agreements and required excessive personal information to process privacy rights requests…
Featured News
House Budget Bill’s Moratorium on State AI Laws Could Undo A Range of Tech Regs, Critics Say
May 14, 2025 by
CPI
Microsoft Nears EU Antitrust Resolution Over Teams Bundling, Sources Say
May 14, 2025 by
CPI
CMA Investigates Aviva’s £3.6B Acquisition of Direct Line Group
May 14, 2025 by
CPI
Google Urges Texas Judge to Disregard Virginia Antitrust Ruling
May 14, 2025 by
CPI
Anthropic Ordered to Respond After AI Allegedly Fabricates Citation in Legal Filing
May 14, 2025 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Healthcare Antitrust
May 14, 2025 by
CPI
Healthcare & Antitrust: What to Expect in the New Trump Administration
May 14, 2025 by
Nana Wilberforce, John W O'Toole & Sarah Pugh
Patent Gaming and Disparagement: Commission Fines Teva For Improperly Protecting Its Blockbuster Medicine
May 14, 2025 by
Blaž Višnar, Boris Andrejaš, Apostolos Baltzopoulos, Rieke Kaup, Laura Nistor & Gianluca Vassallo
Strategic Alliances in the Pharma Sector: An EU Competition Law Perspective
May 14, 2025 by
Christian Ritz & Benedikt Weiss
Monopsony Power in the Hospital Labor Market
May 14, 2025 by
Kevin E. Pflum & Christian Salas