Ford Fined $375,000 for Adding Friction to Consumer Opt-Out Process Under CCPA
CalPrivacy fined Ford $375,703 for requiring email verification before processing CCPA opt-out requests. What this means for business compliance.
Formfy Team
Product Team
Ford Fined $375,000 for Adding Friction to Consumer Opt-Out Process Under CCPA
Summary
The California Privacy Protection Agency ordered Ford Motor Company to pay $375,703 and overhaul its opt-out process in March 2026. CalPrivacy found that Ford required consumers to verify their email address before processing opt-out requests-a step regulators deemed unnecessary and unlawful under the CCPA.
Key Details
Ford displayed a "One More Step!" message after consumers submitted opt-out requests, directing them to check their email for a confirmation link. Consumers who did not click the link had their requests ignored. Ford continued to sell or share their personal information despite receiving the initial opt-out submission.
CalPrivacy's Enforcement Division classified this email verification step as "unnecessary friction" violating CCPA requirements for minimal-step opt-out submission. The case emerged from CalPrivacy's multi-year enforcement sweep of connected vehicle manufacturers launched in 2023-the same initiative that produced a $632,500 action against American Honda in 2025.
Under the settlement, Ford must process all previously unfulfilled opt-out requests, provide CCPA-compliant low-friction opt-out methods, audit all tracking technologies on its website, and honor opt-out preference signals including the Global Privacy Control.
Why This Matters
The Ford decision establishes that adding confirmation steps to opt-out flows-even common ones like email verification-can violate the CCPA. Any business inserting intermediate steps between a consumer's opt-out request and its processing faces enforcement risk.
CalPrivacy has now fined two major automakers in consecutive years, confirming that connected vehicle data practices remain a priority enforcement target. The auto industry collects extensive personal data through vehicle telematics, apps, and dealer interactions.
With the 10-state Consortium of Privacy Regulators coordinating enforcement priorities, businesses operating across multiple states should expect similar scrutiny of their opt-out mechanisms beyond California.
For businesses using digital consent and opt-out forms, this ruling makes the compliance requirement concrete: opt-out must be processed upon submission, with no added verification steps or confirmation hurdles that could delay or block the request.
Sources
Formfy Team
Product Team
Related Articles
20 US States Enforce Privacy Laws in 2026 After Indiana, Kentucky, and Rhode Island Go Live
Indiana, Kentucky, and Rhode Island privacy laws took effect Jan 1, 2026. Fines reach $10,000 per violation across 20 states with active enforcement.
California Privacy Agency Fines Data Brokers Selling Health Data in Delete Act Crackdown
California's CPPA fined Datamasters and S&P Global $107,600 combined for failing to register as data brokers under the Delete Act.
HR E-Signatures: Fix Onboarding to Reduce 45-Day Turnover
20% of new hires quit in 45 days due to poor onboarding. Digital e-signatures boost retention by 82% and cut HR paperwork by 75%.