Another day, another CCPA action. On March 5, 2026, CalPrivacy announced a $375,703 settlement with Ford Motor Company over allegations the business introduced unnecessary friction for consumers to exercise their opt-out rights. Below are a few key takeaways from the order.

1. Opt outs are Not Verifiable.

Over six years after the CCPA went into effect, delineating between verifiable and nonverifiable consumer requests is still creating issues for businesses. The law is clear: businesses may verify a consumer's request to delete, know, or correct, but may not require verification for requests to opt out of the sale or share of their personal information. 

Ensuring these request types are honored separately and lawfully requires proper configuration within a business's consumer request platform. Many vendor tools treat opt outs as verifiable requests by default, requiring customization of off-the-shelf products. 

2. Not All Enforcement is Created Equal

The contrast between this settlement and CalPrivacy's recent action against events management platform PlayOn – publicized just one day prior – is instructive. The difference in the settlement amounts is striking, particularly when considering the size of each business, but the allegations establish a clear enforcement hierarchy. 

A consistent theme has emerged in the past few years of enforcement: procedural violations involving opt-out or consent flows (e.g., the friction identified in this Ford order) are generally treated as correctable, lower-stakes issues. In contrast, cases involving sensitive information or vulnerable populations carry significantly higher risk, leading to larger penalties and more stringent injunctive terms. For businesses, while technical compliance is essential, the nature of the data involved can be a force multiplier in an enforcement context, and should be prioritized accordingly.

3. Enforcement Sweeps as a Compliance Roadmap

As with last year's Honda settlement, this matter arose from an enforcement sweep announced by CalPrivacy in 2023. Enforcers are not hiding the ball with their priorities, and businesses would be wise to heed the warnings found in public announcement regarding industry-specific investigatory efforts. Between CalPrivacy and the California Attorney General's Office, publicized areas of focus include: surveillance pricing, location data, Global Privacy Control, streaming services and connected televisions, employee and job applicant data, mobile apps, and financial incentive and loyalty programs. For businesses triaging their compliance efforts, California regulators have provided issues they believe you should prioritize.