On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a $632,500 penalty against American Honda Motor Co. The order is one of the clearest signals yet that regulators read cookie banners button by button. Honda did not get fined for missing a banner. It got fined for how the banner asked. The opt-out took more clicks than the opt-in, and that imbalance alone was enough to trigger a formal enforcement action under the California Consumer Privacy Act (CCPA).
If you run a website that serves California visitors, this case is worth studying closely. It shows that having a consent tool installed is not the same as being compliant, and that the details of CCPA cookie consent design now carry real financial weight. Tools like CookieTrust are built to satisfy the exact symmetry rules Honda failed, but first it helps to understand precisely what went wrong.
What Honda Did Wrong
The CPPA Enforcement Division identified four separate problems. Each one is common, and each one is easy to reproduce by accident.
An unequal cookie banner
Honda’s banner offered an “Allow All” button that accepted advertising cookies in a single click. Opting out was a different story. A visitor had to toggle advertising cookies off and then click a second “Confirm My Choices” button. There was no “Decline All” button to mirror the one-click “Allow All.”
The CCPA requires that the method for opting out be as easy as the method for opting in. Regulators call this symmetry in choice. A consumer should never have to work harder to say no than to say yes. Honda’s two-step refusal against a one-step acceptance broke that rule directly.
Too much information to exercise a right
Honda required consumers to hand over an excess of personal information just to submit privacy requests, including requests to opt out of the sale or sharing of their data. Under the CCPA, a business may only ask for the information reasonably necessary to process a request. Asking for more turns a right into an obstacle course, and the Agency treated it as a violation.
Blocked authorized agents
The CCPA lets consumers use an authorized agent to submit privacy requests on their behalf. Honda’s process made that difficult, which obstructed a right the law explicitly grants.
Sharing data without contracts
Honda disclosed personal information to advertising technology vendors without the data protection contracts the CCPA requires. The Agency found Honda could not produce evidence that those agreements existed. Responsibility for the disclosure stayed with Honda even though other companies handled the data flow.
The Detail Everyone Should Notice
Honda did not build its cookie banner from scratch. It used a third-party consent management platform (OneTrust) to power the tool. The banner still failed.
This is the part that matters for every business reading the headline and assuming a brand-name vendor equals safety. A consent management platform is only as compliant as its configuration. The platform gave Honda the controls. The choices made inside those controls (a one-click accept, a two-step decline, no symmetrical reject button) produced the violation. Regulators looked at what the visitor actually saw and clicked, not at which vendor’s logo sat in the admin panel.
The takeaway: Installing a CMP does not make you compliant. Configuring it for genuine symmetry does. Default or careless settings can still produce an enforcement action.
What the CPPA Made Honda Do
The financial penalty was $632,500, but the order goes further. Honda must:
- Change and simplify how consumers submit CCPA requests, so opting out is as easy as opting in
- Consult a qualified user experience designer to evaluate the request methods for symmetry and ease of use
- Put CCPA-compliant contractual terms in place with its advertising technology vendors
- Train employees on the new procedures
- Report back to the Agency and certify its compliance
The inclusion of a user experience designer is striking. The regulator is effectively saying that consent compliance is a design problem as much as a legal one. The friction lives in the interface, so the fix has to live there too.
Michael Macko, who leads the CPPA Enforcement Division, framed the approach plainly: “The remedy should fit the problem behavior,” with penalties scaled to the number of violations. Tiffany Garcia, the Agency’s Interim Executive Director, said the agreement “underscores our commitment to advocating for improved business practices that truly benefit consumers.” The message to the market is that choice architecture is now an enforcement priority.
What This Means for Your Website
You do not need to be a global automaker to make Honda’s mistakes. Run through this quick self-check against your own cookie banner:
- Click count. Can a visitor reject all non-essential cookies in the same number of clicks it takes to accept them? If “Accept All” is one click and rejecting takes two or more, you have an asymmetry problem.
- Equal prominence. Is your reject option a real button with the same visual weight as accept, or is it a faint text link, a hidden toggle, or buried in a second screen?
- Request data minimization. When someone exercises a privacy right, do you ask only for what you genuinely need to fulfill it?
- Authorized agents. Can a third party submit a request on a consumer’s behalf without an artificial roadblock?
- Vendor contracts. Do you have signed CCPA-compliant data processing terms with every advertising and analytics vendor that receives visitor data?
If any answer is uncomfortable, you are closer to Honda’s position than you might like. The good news is that the banner side of this list is the easiest to fix, because symmetry is a solved problem when the consent tool is built correctly.
Simplifying CCPA Cookie Consent with CookieTrust
Honda’s banner failed because its accept and reject paths were not equal. A consent platform should make symmetry the default, not something you have to remember to configure. That is the design principle behind CookieTrust.
Instead of hand-building banner logic and hoping the click counts match, you add two lines:
<script src="https://cmp.cookietrust.io/gdpr/autoblocker.umd.js"></script>
<script id="cookietrust-cmp" src="https://cmp.cookietrust.io/gdpr/[YOUR-SITE-ID]/latest/v2consent.js" async></script>What this gives you against the exact failures in the Honda order:
- Symmetrical accept and reject by default. “Accept All” and “Reject All” sit side by side with equal prominence and the same single-click effort, which is precisely the symmetry the CPPA required Honda to retrofit.
- Auto-blocking of advertising and analytics scripts. Google, Meta, TikTok and other trackers stay blocked until the visitor agrees, so a non-consenting user is not silently shared with ad tech vendors.
- Proof of consent. Timestamped consent logs give you the audit trail to show a regulator what a visitor was shown and chose, instead of reconstructing it after the fact.
- CCPA, GDPR and ePrivacy in one configuration. The same setup covers California visitors and EU visitors, with geolocation rules when you need different banners per region.
For WordPress sites, the CookieTrust plugin goes further. An AI crawler scans your site, detects every cookie and tracking script, identifies your brand colors for the banner, and categorizes everything automatically. You are not manually maintaining a cookie list that drifts out of date the moment marketing adds a new pixel.
None of this removes your responsibility for vendor contracts, that part of the Honda order is a procurement and legal task, but it does close the banner gap that started the whole case.
Ready to make your reject button as easy as accept?
Key Takeaways
- The CPPA fined Honda $632,500 on March 12, 2025, largely because its cookie banner made opting out harder than opting in.
- CCPA requires symmetry in choice: rejecting must be as easy as accepting, with equal prominence and equal effort.
- Using a major consent platform did not protect Honda. Configuration, not vendor brand, decides compliance.
- The order also targeted excess data collection on requests, blocked authorized agents, and missing vendor contracts.
- Regulators now treat consent as a user experience problem and inspect the actual clicks a visitor makes.
The Honda order is not an outlier, it is a template for how CCPA cookie consent will be enforced from here. The websites that stay out of trouble are the ones whose reject button is exactly as easy to find and click as accept.
Take the next step: Make sure your cookie banner passes the symmetry test before a regulator does it for you. Start your free CookieTrust trial and get a balanced, compliant consent banner live in minutes, or see how CookieTrust handles CCPA and GDPR in one setup.
