On March 5, 2026, the California Privacy Protection Agency (CalPrivacy or the Agency) announced a $375,703 settlement with Ford Motor Company (Ford), stemming from its long-running investigation into the privacy practices of connected vehicle manufacturers, an inquiry the Agency has been pursuing since 2023.
The Ford matter was announced just days after CalPrivacy’s settlement with PlayOn Sports, highlighting an acceleration in enforcement activity and signaling that companies can expect continued regulatory scrutiny coming out of California. See our recent alert on the PlayOn matter here.
The Ford settlement provides additional insight into how CalPrivacy is evaluating the design and operation of opt‑out mechanisms.
About the Case
Similar to the Honda case, which was announced in March of last year, CalPrivacy alleged that Ford’s opt-out process violated the CCPA.[1] According to the order, Ford provided notice of the right to opt-out online and provided an interactive form for consumers to submit privacy requests, including requests to opt-out of sales and sharing. However, when consumers submitted the request form to opt-out, the form generated an email confirmation that required consumers to click to verify their email address before the request was processed. If consumers failed to click the confirmation link, their requests went unprocessed and ultimately expired.
Verifiable Consumer Requests
First, the order alleges that Ford improperly required consumers to submit a “verifiable consumer request” to exercise the right to opt-out of sale or sharing, in violation of Cal. Code Regs., Tit. 11 § 7026(d). Under the CCPA regulations, a “verifiable consumer request” is a request that a business can verify, using commercially reasonable methods, to be made by the consumer about whom the business has collected personal information. CalPrivacy found the email confirmation requirement effectively constituted an impermissible verifiable consumer request, creating unnecessary friction for consumers exercising their opt-out rights.
Continued Sale/Sharing
The second violation flows directly from the first. According to the order, because Ford did not process opt-out requests submitted by consumers who did not complete the email verification step, the company continued to sell and share those consumers’ personal information after receiving their direction to stop, in violation of CCPA § 1798.120(d). Accordingly, the order alleged a violation for each instance in which Ford subsequently sold or shared the personal information of a consumer who submitted a request to opt-out through Ford’s consumer privacy rights request form.
Settlement Obligations
In addition to an administrative penalty of $375,703, the order requires Ford to:
- Modify its opt‑out processes to ensure that opt‑out methods are easy to use, require minimal steps, and do not condition the exercise of opt‑out rights on submission of a verifiable consumer request
- Audit tracking technologies on Ford.com, including cookies, web beacons, and pixels, to ensure they are properly configured to honor consumers’ use of opt-out preference signals, such as the Global Privacy Control, where required
- Implement the required modifications and audit within 90 days of the order’s effective date, certify completion to CalPrivacy’s Enforcement Division
Takeaways Moving Forward
Bottom line: requiring consumers to confirm access to and control over an email address—even through a simple confirmation link—can constitute an impermissible verifiable consumer request under the CCPA. Businesses should audit the practical workflows in their opt-out mechanisms and look out for any confirmation loops or extra steps that could cause unnecessary friction in violation of the CCPA.
For questions regarding CalPrivacy enforcement trends, opt‑out obligations, or the implications of this settlement for your organization, contact the authors or any member of our Data Protection, Privacy, and Security team.
