Ford Fined $375,000 for Adding Friction to Consumer Opt-Out Process Under CCPA
CalPrivacy fined Ford $375,703 for requiring email verification before processing CCPA opt-out requests. What this means for business compliance.
Formfy Team
Product Team
Ford Fined $375,000 for Adding Friction to Consumer Opt-Out Process Under CCPA
Summary
The California Privacy Protection Agency ordered Ford Motor Company to pay $375,703 and overhaul its opt-out process in March 2026. CalPrivacy found that Ford required consumers to verify their email address before processing opt-out requests-a step regulators deemed unnecessary and unlawful under the CCPA.
Key Details
Ford displayed a "One More Step!" message after consumers submitted opt-out requests, directing them to check their email for a confirmation link. Consumers who did not click the link had their requests ignored. Ford continued to sell or share their personal information despite receiving the initial opt-out submission.
CalPrivacy's Enforcement Division classified this email verification step as "unnecessary friction" violating CCPA requirements for minimal-step opt-out submission. The case emerged from CalPrivacy's multi-year enforcement sweep of connected vehicle manufacturers launched in 2023-the same initiative that produced a $632,500 action against American Honda in 2025.
Related reading: OCR Expands HIPAA Enforcement Beyond Risk Analysis to Target Risk Management Failures explains the next step for teams working on this workflow.
Under the settlement, Ford must process all previously unfulfilled opt-out requests, provide CCPA-compliant low-friction opt-out methods, audit all tracking technologies on its website, and honor opt-out preference signals including the Global Privacy Control.
Why This Matters
The Ford decision establishes that adding confirmation steps to opt-out flows-even common ones like email verification-can violate the CCPA. Any business inserting intermediate steps between a consumer's opt-out request and its processing faces enforcement risk.
CalPrivacy has now fined two major automakers in consecutive years, confirming that connected vehicle data practices remain a priority enforcement target. The auto industry collects extensive personal data through vehicle telematics, apps, and dealer interactions.
With the 10-state Consortium of Privacy Regulators coordinating enforcement priorities, businesses operating across multiple states should expect similar scrutiny of their opt-out mechanisms beyond California.
For businesses using digital consent and opt-out forms, this ruling makes the compliance requirement concrete: opt-out must be processed upon submission, with no added verification steps or confirmation hurdles that could delay or block the request.
Sources
Formfy Team
Product Team
Related Articles
Recent compliance and digital workflow updates for 2026-04-13
A source-backed roundup of recent compliance, security, and digital workflow updates for teams managing forms and records.
Patlytics Raises $40M Series B as AI Fuels Surge in Patent Filings and IP Litigation
Patlytics closed a $40M Series B led by SignalFire on April 8, 2026, serving 40%+ of Am Law 100 firms with AI for the full patent lifecycle.
Perplexity AI Hit With Class-Action Lawsuit for Sharing User Chat Data With Google and Meta Without Consent
Class-action lawsuit alleges Perplexity AI shared user chat transcripts with Google and Meta via embedded ad trackers—even in Incognito Mode.