Ford Motor Company Fined $375,703 by California Privacy Agency for Blocking Consumer Opt-Out Rights

The California Privacy Protection Agency (CPPA) has issued a $375,703 fine against Ford Motor Company in a landmark enforcement action that should make every compliance team re-examine their opt-out processes. The violation? Requiring consumers to confirm their email before processing opt-out requests — a practice that seems routine but directly violates CCPA regulations.

The Case: ENF23-V-FO-3

On February 27, 2026, the CPPA Board adopted a Stipulated Final Order against Ford Motor Company, resolving an investigation that began as part of a broader inquiry into vehicle manufacturers’ privacy practices.

The enforcement action centers on a deceptively simple compliance failure: Ford required consumers to verify their identity before honoring requests to opt out of the sale and sharing of personal information.

Under the CCPA and its implementing regulations, that’s illegal.

What Ford Did Wrong

The Opt-Out Process That Violated the Law

Ford provided consumers with an online privacy rights form — a standard interactive tool where users could exercise various CCPA rights, including the right to opt out of data sales and sharing. The form collected the consumer’s name, address, phone number, relationship with Ford, and the type of request.

So far, so compliant.

The problem began after consumers clicked “submit.”

Instead of processing the opt-out request immediately, Ford displayed a message: “One More Step! Please confirm your Request! Please check your email for confirmation, click confirm and we will start your request.”

Ford then sent consumers an email requiring them to “confirm your email and identity” by clicking a confirmation button. The email explicitly stated: “Once we have confirmed your identity, we will respond to your request within the legally required time period.”

Under CCPA regulations (Section 7026(d)):

A business may not require consumers to submit verifiable consumer requests to opt out of the sale/sharing of their personal information.

This is a critical distinction in CCPA compliance. While businesses can require identity verification for rights like deletion, correction, and access (rights to know), the right to opt out has deliberately lower friction requirements.

The regulation is explicit: a business may ask for information necessary to identify which consumer’s data should stop being sold, but “to the extent that the business can comply with a request to opt-out without additional information, it shall do so.”

Ford already had enough information from the initial form submission to process the opt-out. The email confirmation step was unnecessary — and by requiring it, Ford was effectively imposing a verifiable consumer request requirement on a right that explicitly prohibits one.

The Consequences for Consumers

Ford deemed as “expired” all opt-out requests from consumers who didn’t click the email confirmation button. This meant:

  • Dozens of opt-out requests went unprocessed during the relevant period (July 2023 — March 2024)
  • Ford continued to sell and share these consumers’ personal information despite receiving their opt-out requests
  • Each continued sale/share after an unprocessed opt-out constituted a separate violation under Civil Code section 1798.120(d)

The Stipulated Final Order

Financial Penalty

Ford must pay $375,703 in administrative fines within 30 days of the order’s effective date.

Required Compliance Actions (90-Day Deadline)

Ford must complete the following within 90 days:

  1. Modify opt-out methods to be easy and require minimal steps
  2. Remove identity verification requirements from opt-out processes
  3. Honor opt-out requests immediately to the extent possible with information already provided
  4. Audit all tracking technologies on Ford.com (cookies, web beacons, pixels) to ensure they properly honor opt-out preference signals like the Global Privacy Control (GPC)

What Ford Did Not Admit

Per the terms of the settlement, Ford neither admits nor denies the factual findings. Ford does not admit liability for any CCPA violation. However, Ford agreed to be bound by all terms of the order and waived all rights to hearings, appeals, and other review.

Why This Matters for Every Business

1. The Opt-Out/Verification Distinction Is Real

Many businesses apply the same verification flow to all consumer rights requests. This case makes clear that the CCPA treats opt-out differently. If your opt-out process includes any of the following, you may have a problem:

  • Email confirmation requirements
  • Identity verification steps beyond what’s needed to identify the consumer
  • Multi-step processes that create friction
  • “Are you sure?” confirmations that delay processing

2. “We Didn’t Intend To” Is Not a Defense

The order notes that Ford “did not intend to require consumers to submit a verifiable consumer request” for opt-outs, nor did Ford intend to include identity confirmation language in the email. Intent doesn’t matter. The practice itself violated the regulation.

This is particularly relevant for organizations using third-party consent management platforms or privacy request tools that may apply uniform verification flows across all request types.

3. The CPPA Is Investigating Industries, Not Just Companies

This enforcement action originated from a “general inquiry into vehicle manufacturers’ privacy practices.” The CPPA isn’t just responding to complaints — it’s proactively investigating entire sectors. The automotive industry is clearly on their radar, and the connected vehicle space, with its massive data collection capabilities, is a natural target.

4. GPC Compliance Is on the Checklist

The order’s requirement that Ford audit tracking technologies for Global Privacy Control compliance signals that the CPPA expects businesses to honor GPC signals. If your website doesn’t respond to GPC, this should be a priority.

5. Cooperation Has Value

The order notes that Ford “cooperated with the Enforcement Division, produced documents, answered questions, and engaged in candid discussions” and “updated certain components of its process” during the investigation. Ford also processed the previously expired opt-out requests in response to the investigation. This cooperation likely influenced the relatively moderate fine amount.

Compliance Checklist: Opt-Out Best Practices

Based on the Ford enforcement action, organizations should:

  • Separate opt-out workflows from other consumer rights request flows
  • Remove identity verification from opt-out processes (unless absolutely necessary to identify the consumer)
  • Process opt-outs immediately upon form submission — no email confirmations, no “one more step”
  • Audit third-party privacy tools to ensure they don’t apply verification to opt-out requests
  • Honor GPC signals across all digital properties
  • Document processing timelines — can you prove opt-outs were processed within the required timeframe?
  • Train privacy teams on the distinction between opt-out and other consumer rights
  • Review connected product data flows — vehicles, IoT devices, apps — for opt-out compliance

The Bottom Line

Ford’s $375,703 fine isn’t the largest CCPA penalty we’ve seen, but the lesson it teaches is worth far more. A standard UX pattern — email confirmation — that most businesses would consider best practice for security purposes, was found to violate the CCPA when applied to opt-out requests.

The CPPA is telling businesses: when a consumer says “stop selling my data,” you stop. No extra steps. No confirmation emails. No friction. Period.

As connected vehicles, IoT devices, and AI-driven services collect increasingly granular personal information, the automotive industry won’t be the last sector to face this level of scrutiny. Every organization that processes opt-out requests should take this enforcement action as a direct prompt to audit their own processes — before the CPPA does it for them.

This article is based on the CPPA’s Stipulated Final Order in Case No. ENF23-V-FO-3, issued February 27, 2026.