California Privacy Regulators Target “Friction” in Consumer Opt-Out Processes: Key Lessons from the Ford Enforcement Action

California Privacy Regulators Target “Friction” in Consumer Opt-Out Processes: Key Lessons from the Ford Enforcement Action

California privacy regulators continue to sharpen their focus on how businesses operationalize consumer rights—and the California Privacy Protection Agency’s (CPPA) latest enforcement action against Ford Motor Company sends a clear message: consumer experience in the exercise of data privacy rights is a critical component of data privacy compliance.

What Happened?

As part of its investigative sweep into the compliance of connected vehicles with the California Consumer Privacy Act (CCPA), the CPPA recently announced a settlement with Ford Motor Company arising from alleged violations of the CCPA, as amended by the California Privacy Rights Act (CPRA).  At the center of the enforcement action was Ford’s consumer opt-out process, specifically relating to the right to opt out of the “sale” or “sharing” of personal information.  Ford required consumers to complete an email verification process before processing consumer opt-out requests.  Under the CCPA, businesses are not permitted to require that consumers verify their identity to submit an opt-out of data sale or sharing request.  According to the CPPA, Ford’s process introduced “unnecessary friction” that made it more difficult for consumers to exercise their data privacy rights. 

The CPPA required that Ford pay a fine of $375,703, and that Ford modify its practices to implement compliance measures, including: 

• Removing any “verification” requirements in order for consumers to opt-out of data sale or sharing;
• Auditing tracking technologies on Ford’s websites and mobile apps, including an audit of cookies, pixels, and web beacons;
• Ensuring that Ford’s websites and mobile apps honor opt-out preference signals of consumers (including, as applicable, the Global Privacy Control);
• Modifying methods for processing opt-out requests to minimize steps required from consumers; and
• Honoring all opt-out requests within CCPA mandated timeframes.

‍

User Experience as Functional Compliance

This enforcement action is part of a broader regulatory trend by California regulators whose reach can extend to interstate commerce directed at California, often giving California regulations national effect.  Compliance must be viewed through the lens of not only providing consumers with the literal means to access and exercise their data privacy rights, but also with a user experience that does not impose undue restrictions on such exercise.  This includes auditing privacy law compliance mechanisms for  “dark patterns”, design choices that manipulate or frustrate user decisions, which can create the sort of “unnecessary friction” the CPPA found resulted from Ford’s unnecessary and inappropriate email verification requirements in order for consumers to make opt-out requests.  

‍

Symmetry In Choice – The Broader Pattern of Enforcement

Beyond avoiding these more obvious violations, however, businesses must ensure that there is “symmetry in choice” across websites and mobile apps with respect to data privacy rights.  Put simply, the structure of a consumer’s ability to exercise data privacy rights must match, in both scope and friction, the business’s ability to collect consumer data.  In the Ford enforcement action, the imbalance between a consumer’s ability to opt-in to data sharing and sale practices versus their ability to opt-out was a focal point of the CPPA’s findings, with the head of the CPPA, Michael Macko, stating that “Opting out is supposed to be easy…  Just as unnecessary steps in the checkout process can discourage consumers from completing a purchase, unnecessary steps in the opt-out process can discourage consumers from exercising their privacy rights.”  This principle of symmetry in choice was also recently advanced in the CPPA’s enforcement action against The Walt Disney Company, which resulted in a settlement of $2.75 million with the state.  In that action, state regulators found that Disney’s failure to honor consumer opt-out requests from data sale and sharing across all of Disney’s various online services, apps and consumer devices, even as it was able to associate consumer devices with the consumer across all such platforms for advertising purposes, did not adequately provide consumers with the ability to exercise their rights.  If Disney was able to collect and track a consumer’s data across all of its various services, it should, according to the California Attorney General, be able to honor a consumer’s opt-out rights across all such services.

Practical Next Steps for Compliance

In light of California regulators’ increasing focus on user experience in the exercise of consumer privacy rights, businesses should ensure that their data privacy compliance practices eliminate unnecessary friction in the process and are appropriate in scope in relation to data collection practices.  This includes an audit of opt-out and other mechanisms available for consumers to exercise their data privacy rights, including those managed by third-party vendors, which may not be compliant with evolving enforcement stances regarding symmetry in choice and the avoidance of unnecessary friction in opt-out requests.  Additionally, businesses should ensure that their opt-out architecture is appropriate in scope relative to data collection architecture; the ability of a consumer to easily opt-in to data collection, sharing and sale practices across services should be matched by an ability to easily opt-out of such practices across the same services.  This is particularly important for businesses in the “Internet of Things” market or connected devices, as data collection is often very easily aligned across internet, mobile app, and connected device-based services, and must be similarly aligned with respect to exercise of consumer privacy rights.

Working with qualified advisors with both experience and expertise in navigating data privacy compliance issues is essential to ensuring your compliance practices evolve with the changing regulatory enforcement landscape.  With legal counsel certified with the International Association of Privacy Professionals, PAG Law’s Data Privacy, Cybersecurity and AI Governance practice group is ready to help your business create compliant data privacy policies, audit existing data practices, and respond to consumer and regulatory inquiries.

‍