California Privacy Agency Fines Ford for Opt-Out Process Friction

Newsroom

Ford to Change Practices, Pay Fine for Adding Unnecessary Friction to Opt-Out Process

March 5, 2026

SACRAMENTO, CA — The California Privacy Protection Agency Board has issued a decision requiring Ford Motor Company to pay a $375,703 fine and change its practices following a settlement reached by CalPrivacy’s Enforcement Division. The decision emphasizes that unnecessary friction in the opt-out process violates the California Consumer Privacy Act (CCPA).

Ford vehicles are commonly found on roadways across California. California’s privacy law, the CCPA, gives consumers the right to stop Ford and other businesses from selling and sharing their personal information by opting out. According to the Board’s decision, Ford required consumers to verify their identity before they could opt-out. Ford did so by requiring consumers to verify their email address as part of the opt-out process, resulting in unnecessary friction for consumers seeking to exercise their rights.

The company required consumers to complete an email verification step before they could opt-out of the sale and sharing of personal information collected through its digital properties and connected vehicle services. As a result, Ford did not process opt-out requests unless consumers completed this step. In response to the agency’s investigation, Ford has since processed the opt-out requests that lacked verification.

“Opting out is supposed to be easy,” said Michael Macko, the head of enforcement at CalPrivacy. “Just as unnecessary steps in the checkout process can discourage consumers from completing a purchase, unnecessary steps in the opt-out process can discourage consumers from exercising their privacy rights. We will continue to scrutinize practices that create these kinds of barriers for Californians.”

“The agency has made it a priority to remove obstacles that prevent Californians from exercising their privacy rights,” said Tom Kemp, CalPrivacy’s Executive Director. “This case shows that the Enforcement Division will take all appropriate action when practices fall short of the law’s requirements.”

In addition to paying the fine, Ford must change its business practices by providing consumers with easy methods to submit opt-out requests with minimal steps. Ford must also conduct an audit of the tracking technologies on its website and ensure compliance with opt-out preference signals, including the Global Privacy Control. The matter arose from the Enforcement Division’s review of data privacy practices by connected vehicle manufacturers, similar to the enforcement action last year against American Honda Motor Co.

The case was handled by Enforcement Division Attorneys Alex Berger and Michael Meyer, with investigative assistance from Research Technologist Nikita Samarin.

CalPrivacy’s Recent Enforcement Actions to Protect Californians

CalPrivacy is actively enforcing California’s cutting-edge privacy laws. Recent actions include:

• Issuing a decision requiring PlayOn Sports, the provider of digital ticketing platforms for high school sporting events, to pay a $1.10 million fine and change its practices to remedy privacy violations.
• Securing a settlement requiring Datamasters, a data broker, to pay a fine and stop selling lists of Californians who have Alzheimer’s disease and other health conditions.
• Issuing a decision requiring Tractor Supply Company, the nation’s largest rural lifestyle retailer, to pay a $1.35 million fine and change its business practices for C alifornia C onsumer P rivacy A ct (CCPA) violations.
• Issuing a decision requiring a nationwide clothing retailer, Todd Snyder, Inc., to change its business practices and pay a $345,178 fine for CCPA violations.
• Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations.
• Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
• Bringing more than ten enforcement actions against additional unregistered data brokers.
• Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
• Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

About Us

The California Privacy Protection Agency (CalPrivacy) is committed to promoting the education and awareness of consumers’ privacy rights and businesses’ responsibilities under the California Consumer Privacy Act, Delete Act, and Opt Me Out Act.

Consumers can visit Privacy.ca.gov to access helpful and up-to-date information and tips on how to exercise their rights, protect their personal information, and learn about the Delete Request and Opt-out Platform (DROP). In addition, CalPrivacy’s website provides important information about Board Meetings, announcements, and the rulemaking process.

About

• About CalPrivacy
• Blog
• Subscribe
• Contact us

Businesses

• Business resources
• Data brokers
• Data broker registry Website Accessibility Certification