By: Avi Gesser, Johanna Skrzypczyk, Melyssa Eigen, Ned Terrace & Michelle Shen (Debevoise & Plimpton)
In this blog post, authors Avi Gesser, Johanna Skrzypczyk, Melyssa Eigen, Ned Terrace & Michelle Shen (Debevoise & Plimpton) discuss the California Privacy Protection Agency’s (CPPA) first public enforcement action under the California Consumer Privacy Act (CCPA). On March 12, 2025, the CPPA announced a stipulated decision and order following its investigation into American Honda Motor Company’s data privacy practices. Honda agreed to pay a $632,500 administrative fine and implement several compliance changes. Central to the decision were allegations that Honda’s cookie consent interface failed to provide users with a symmetrical choice, making it more difficult for consumers to opt out of data sharing than to accept tracking.
The authors highlight how this enforcement marks a broader regulatory trend toward scrutinizing cookies banners and consent mechanisms as potential “dark patterns”—designs that may undermine consumer choice. As more states implement privacy legislation, regulators are expected to view cookie management tools as a practical and visible target for enforcement. This case suggests that regulators may increasingly focus on the mechanics of how businesses collect consumer consent, particularly in the context of behavioral advertising and tracking.
Cookies, the authors explain, are small text files placed on a user’s browser, often used for analytics, functionality, and advertising. When cookies are used for cross-context behavioral advertising—such as showing ads to users based on activity across multiple websites—this constitutes “sharing” under the CCPA and “targeted advertising” under other U.S. state privacy laws. These laws require businesses to give consumers clear opt-out rights, which can be facilitated through cookie banners, privacy links, or browser-based signals like Global Privacy Control (GPC).
To comply with the CCPA, companies must ensure “symmetry of choice” in how cookie preferences are presented. This means that selecting the most privacy-protective option (like rejecting cookies) must not be more burdensome than accepting them. The CPPA found that Honda violated this standard by making it easier for users to consent to tracking than to opt out, and also failed to maintain compliant data processing agreements and required excessive personal information to process privacy rights requests…
Featured News
Attorneys in NCAA Antitrust Case Awarded $475M in Fees
Jun 8, 2025 by
CPI
SEC Grants Elon Musk Additional Six Weeks to Respond in Twitter Stake Disclosure Suit
Jun 8, 2025 by
CPI
Judge Dismisses Key Claims Against Google in Publishers’ Piracy Suit
Jun 8, 2025 by
CPI
Indian Regulator Probes Asian Paints After Complaint by Aditya Birla’s Birla Opus
Jun 8, 2025 by
CPI
The 10-Year Ban on State AI Law Lives, At Least for Now, in Senate Version of Budget Bill
Jun 8, 2025 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Industrial Policy
May 21, 2025 by
CPI
Industrial Strategy and the Role of Competition – Taking a Business Lens
May 21, 2025 by
Marcus Bokkerink
Industrial Policy, Antitrust, and Economic Growth: Some Observations
May 21, 2025 by
David S. Evans
Bolder by Design: Crafting Pro-Competitive Industrial Policies For Complex Challenges
May 21, 2025 by
Antonio Capobianco & Beatriz Marques
Competition-Friendly Industrial Policy
May 21, 2025 by
Philippe Aghion, Mathias Dewatripont & Patrick Legros