Vault Door

CPPA Enforcement Actions: Key Lessons from Honda, Todd Snyder, and Healthline

By Scott C. Hall

The California Privacy Protection Agency (CPPA) is now in its second year with full enforcement powers and has begun to exercise its authority under the California Consumer Privacy Act (CCPA) in significant ways in 2025. With the creation of the CPPA and its recent assumption of enforcement authority, a new chapter of privacy rights enforcement has begun. Two recent enforcement actions against American Honda Motor Co. and menswear retailer Todd Snyder Inc. offer the most valuable insights to date into the CPPA’s priorities and expectations. They also highlight operational privacy gaps of which companies of all sizes and in all industries should take note and work to comply with. And, California’s Attorney General has reminded everyone that it is not to be forgotten in privacy enforcement, announcing the highest CCPA settlement to date in connection with a recent enforcement action involving health data.

Case One: Honda – Verification, Cookies, and Contracts

In March 2025, the CPPA announced its first enforcement order—a $632,500 administrative fine against American Honda Motor Co., one of the largest companies to face a formal enforcement action to date. The action stemmed from the CPPA’s 2023 sweep of connected vehicle manufacturers, aimed at scrutinizing how automakers collect and share consumer data via in-vehicle systems and online platforms.

Summary of Violations

  • Oververification for Opt-Outs: Honda required consumers submitting requests to opt out of the sale or sharing of their personal information—and requests to limit the use of sensitive personal information—to provide extensive personal details (including name, full address, phone number, and email). Unlike consumer requests for access, deletion and correction, which require identity verification, the CCPA rules prohibit such verification for opt out and limitation rights.
  • Confusing Agent Authorization: The company also required consumers to confirm directly with Honda that they had authorized a third party to submit a request on their behalf, a practice explicitly disallowed by CCPA regulations for opt-out and limit-use requests.
  • Asymmetry in Cookie Management: The CPPA found Honda’s cookie consent banner violated design symmetry requirements. Consumers could “Accept All” cookies with a single click, but had to individually toggle off categories and confirm their choices to opt out—an unfair burden deemed to be a “dark pattern” under CCPA guidance.
  • Failure to Apply GPC to Known Users: Honda did not extend Global Privacy Control-based opt outs to known users with accounts, limiting the scope of opt-out effectiveness.
  • Contractual Failures with Adtech Vendors: Honda disclosed personal information to advertising technology partners without executing contracts that included required CCPA provisions, such as limitations on secondary use and data security commitments.

Case Two: Todd Snyder – Infrastructure Failures and Excessive Data Collection

In May 2025, the CPPA announced its second public enforcement order, this time against Todd Snyder Inc., a New York-based menswear retailer with several California locations. In settling with the CPPA, Todd Snyder agreed to pay a $345,178 fine and undertake numerous remedial steps. The case provides a useful contrast to Honda given that Todd Snyder is a smaller company facing many of the same privacy compliance challenges, but with different technical root causes.

Summary of Violations

  • Inaccessible Cookie Preferences: For a period of 40 days in late 2023, a defect in the company’s cookie banner caused it to vanish before users could interact with it. As a result, consumers were effectively unable to opt out of tracking and behavioral advertising. This also meant that GPC signals were not honored during the outage.
  • Excessive Verification for Al Requests: Todd Snyder required users to upload a photo ID for all privacy requests—including opt-outs and SPI limitation requests—despite the CCPA’s clear prohibition on identity verification for these types of requests.
  • One-Size-Fits-All Request Portal: Like Honda, Todd Snyder used a single webform for all consumer rights requests, failing to distinguish between verified and non-verified request types. This design flaw resulted in systematic overcollection of sensitive data.
  • Lack of Internal Oversight: The CPPA emphasized that Todd Snyder failed to monitor its third-party privacy management tools and had no effective alerting system in place to catch or correct the cookie banner malfunction.

Case Three: Healthline – Purpose Limitation and Privacy Expectations

On July 1, 2025, the California Attorney General (AG) announced the largest settlement to date under the CCPA: a $1.55 million fine against Healthline Media LLC, a health and wellness website publisher. Unlike the CPPA-led actions against Honda and Todd Snyder, this enforcement was brought by the AG’s office and underscores the ongoing parallel enforcement powers shared between the two agencies.

The case against Healthline marked the first CCPA enforcement action focused on health-related data, highlighting how regulators are applying the law’s provisions to sensitive data practices even where traditional health privacy laws like HIPAA may not apply.

Summary of Violations

  • Failure to Honor Opt-Out Requests: Healthline allegedly sold or shared consumers’ personal information even after receiving opt outs, including Global Privacy Control (GPC) signals. Investigators found that third-party advertising cookies continued to collect and transmit information after consumers attempted to opt out.
  • Noncompliant Vendor Contracts: The company shared personal data with advertising partners without including CCPA-mandated contractual provisions, such as purpose limitations and requirements for equivalent privacy protections by the recipient.
  • Purpose Limitation Violation: This action is notable for including the CCPA’s ”purpose limitation” requirement—one of the first enforcements to do so. The AG alleged that Healthline’s disclosure of article titles relating to medical conditions (e.g., Crohn’s disease) to third parties for advertising purposes went beyond the purposes reasonably expected by consumers. This was true even if such sharing was technically disclosed in the privacy policy.
  • Deceptive Practices: Healthline offered a cookie banner that appeared to allow users to disable advertising cookies but did not effectively do so, a practice characterized as deceptive under California’s Unfair Competition Law (UCL).

Enforcement Themes: Key Areas of CCPA Noncompliance

The enforcement actions against Honda, Todd Snyder, and Healthline reveal a consistent set of compliance failures—and signal where California regulators are focusing their scrutiny.

  • Oververification: Honda and Todd Snyder unlawfully required consumers to verify their identity for opt-out and SPI limitation requests. Todd Snyder even demanded photo IDs for all requests, violating the CCPA’s data minimization principle.
  • Poor UX and Dark Patterns: Honda’s cookie interface made opting out harder than opting in, while Healthline’s banner failed to function at all. The takeaway: design choices that confuse or burden users undermine valid consent and can lead to enforcement.
  • Technical Failures: Todd Snyder’s broken cookie banner and Healthline’s ineffective opt-out tools show that nonfunctional systems—even due to vendor error—are the business’s responsibility.
  • Ignoring GPC Signals: All three companies failed to properly process Global Privacy Control (GPC) signals. CCPA requires honoring GPC not only at the browser level, but across known user profiles.
  • Missing Vendor Contracts: Honda and Healthline disclosed personal data to ad tech vendors without the required contracts limiting use, a recurring violation with high enforcement risk.
  • Purpose Limitation: Healthline broke new ground by triggering enforcement under the CCPA’s purpose limitation rule. Sharing article titles that suggest medical conditions for ad targeting went beyond what a reasonable consumer would expect—even if disclosed. The AG’s action here probes into the subjective expectations of consumers, suggesting that even disclosed practices can be unlawful if they feel inherently invasive or unexpected. It also requires businesses to think hard about seemingly innocuous data like an article title that can become sensitive when tied to consumer identity.

Final Thoughts: Functional Privacy, Not Just Formalities

California regulators have made clear that privacy rights must be real, accessible, and aligned with consumer expectations. Enforcement is no longer just about having a policy—it’s about making privacy work in practice. From broken cookie banners to overbroad data sharing, businesses subject to the CCPA should be proactively and carefully evaluating their practices and making necessary improvements.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.