Privacy & Cybersecurity Law Blog

On March 5, 2026, the California Privacy Protection Agency (“CalPrivacy”) announced that the agency had reached a settlement with Ford Motor Company (“Ford”) resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s (“CCPA’s”) opt-out of sale/sharing rights.

Investigation and Findings

The Ford settlement marks CalPrivacy’s second enforcement action stemming from its investigative sweep into connected vehicles’ compliance with the CCPA. CalPrivacy’s investigation focused on Ford’s handling of consumer opt-out of sale/sharing requests submitted through Ford’s websites and mobile apps. CalPrivacy alleged that from July 1, 2023, through March 1, 2024, Ford provided consumers with an online privacy rights request form that allowed consumers to submit requests to opt out of the sale or sharing of their personal information.

CalPrivacy alleged that, after consumers submitted opt-out requests through the form, Ford required consumers to confirm their requests through email verification before the company processed the requests. CalPrivacy determined that this requirement effectively imposed a “verifiable consumer request” requirement for opt-out requests, in violation of the CCPA. Under the CCPA, businesses are not permitted to require that consumers verify their identity to submit an opt-out of sale/sharing request. CalPrivacy further alleged that Ford did not process opt-out requests and continued to sell or share personal information for some consumers who had already submitted opt-out requests but had not verified their email.

Settlement Terms

Under the stipulated settlement order, Ford agreed to pay an administrative fine of $375,703 and implement a number of compliance measures, including:

• modifying its methods for submitting and processing opt-out requests so that the process requires minimal steps;
• not requiring opt-out requests to be “verifiable consumer requests”;
• honoring opt-out requests within the timeframe required by the CCPA; and
• conducting an audit of tracking technologies on Ford’s websites, including cookies, web beacons and pixels, to ensure the company properly honors opt-out preference signals, such as the Global Privacy Control, where required.