CalPrivacy’s Ford fine: When an extra opt-out step is a CCPA violation

On March 5, 2026, CalPrivacy announced Ford has been issued a $375,703 fine and corrective measures to change its privacy opt-out practices after the agency found its process created unlawful friction under the California Consumer Privacy Act (CCPA).

The reason for this action is simple, and one that consumers still encounter too often. Ford’s problem was that “one more step” became another chance to keep selling or sharing personal data.

That one more step was an email opt-out link. If customers did not click it, those requests could expire, which CalPrivacy said meant Ford continued selling or sharing personal data after consumers had already submitted an opt-out request. CalPrivacy was very clear on this point: that extra friction was not acceptable.

“Opting out is supposed to be easy,” said Michael Macko, the head of enforcement at CalPrivacy.

“Just as unnecessary steps in the checkout process can discourage consumers from completing a purchase, unnecessary steps in the opt-out process can discourage consumers from exercising their privacy rights. We will continue to scrutinize practices that create these kinds of barriers for Californians.”

Key takeaways:

• Who/What: A CalPrivacy enforcement action against Ford Motor Company connected to Ford’s handling of opt-out requests across digital properties and connected vehicle services.
• Outcome: A $375,703 fine plus significant changes to Ford’s opt-out process.
• Core allegation: Ford required consumers to verify their email before processing certain opt-out requests. CalPrivacy said that approach violated the CCPA by turning what should have been a low-friction opt-out into something closer to a verifiable consumer request.
• Why it matters: CalPrivacy said a submitted opt-out request should have been honored without that extra verification step. Because Ford allowed some requests to expire when consumers did not email-confirm, the agency said Ford continued selling or sharing personal data after consumers had already tried to opt out.
• Market-wide consideration: The Ford settlement came out of CalPrivacy’s connected vehicle privacy review, the same sector-wide scrutiny that also produced the Honda CCPA case ($632,500 fine in March 2025).

CalPrivacy investigation against Ford: facts and timeline

• Announcement date: February 27, 2026.
• Case number: ENF23-V-FO-3.
• Time period: The case investigated the period from July 1, 2023, to March 1, 2024.
• Investigation scope: Ford’s public-facing websites and mobile applications were subject to the CCPA, including Ford.com and the Ford mobile app. The matter also covered personal data collected through digital properties and connected vehicle services.
• Trigger & context: CalPrivacy opened the case as part of its broader review of connected vehicle manufacturers’ privacy practices, including the Honda case in 2025.

Briefing for privacy leaders

• CalPrivacy’s Ford case is not about email design. It is about whether a company honors an opt-out when the user clicks submit.
• Ford’s privacy form let users submit an opt-out request, but then added a “One More Step!” email confirmation before the request would be processed.
• CalPrivacy said that the extra step created unlawful friction and, more importantly, meant Ford continued selling or sharing personal data after consumers had already tried to opt out.
• For privacy leaders, this is the real lesson: it is not just a consumer-rights or user-experience issue. It is also what happens in the tracking and data-sharing layer while your workflow waits for “verification.”

What happened to cause this CCPA violation

Ford gave customers an online privacy rights form, allowing customers or subscribers to exercise numerous rights. This included the right to opt out of the sale or sharing of their personal data. Users filled required fields, completed reCAPTCHA, and clicked submit.

After submission, Ford displayed a message telling consumers to check their email and click confirm before Ford would start processing the request. The follow-up email said consumers “must confirm your email and identity.”

During the relevant period, Ford treated some requests as “expired” when consumers did not click the confirmation email, and CalPrivacy said this caused Ford not to process dozens of opt-out requests within the required time. If a customer did not click the email link, those opt-out requests were not processed, and the agency said personal data continued to be sold or shared in the meantime.

Summary of Ford’s CCPA violations

1. Verification before opt-out

• What CalPrivacy says broke: Businesses should not need a verifiable consumer request for the right to opt out of sale or sharing. Ford did exactly that by requiring email confirmation and identity confirmation before processing.
• Underlying control failure: Ford treated opt-out like an identity-gated rights workflow instead of a suppression command that should be actioned with the information already provided, where feasible. Under the CCPA, opt-out is meant to be low-friction. The verification standard that applies to access or deletion requests does not apply in the same way here.

2. Continued sale/sharing after submission

• What CalPrivacy says broke: Once a consumer submitted Ford's opt-out form, they had clearly told Ford to stop selling or sharing personal data. Because Ford did not process some requests in time, CalPrivacy said Ford continued selling or sharing those consumers' personal data in the interim.
• Underlying control failure: Ford's rights intake system was not tightly connected to the actual sale/sharing suppression layer. A submitted request should trigger prompt suppression downstream to relevant data partners and ad platforms, not merely open a processing queue.

3. Tracking technologies and opt-out preference signals

• What CalPrivacy ordered next: Ford needs to audit cookies, web beacons, and pixels on Ford.com, apps, and other digital assets to ensure they are configured to honor opt-out preference signals such as Global Privacy Control (GPC) where required.
• Underlying control failure: Even when the headline violation is workflow friction, the remedy still lands in runtime tracking governance. Honoring GPC requires technical signal detection at the tag/pixel layer, not just a form on a privacy page.

CalPrivacy’s message is clear: friction can become an enforcement issue

This order shows that CalPrivacy is focused not just on whether an opt-out exists, but on whether businesses add unnecessary barriers before acting on it.

The same logic will not be limited to large brands. As California expands its enforcement capacity and audit activity in 2026, privacy leaders should expect more scrutiny of whether rights workflows actually work in practice.

4 key learnings from this include the following:

1. Unnecessary friction in the opt-out process can create CCPA risk.
2. The order makes the theory stronger. If a business can comply with an opt-out request using the information already submitted, adding an extra step may create avoidable friction and delay suppression.
3. Because of this, privacy teams should stop thinking about opt-out only as form design. The enforcement risk sits in the gap between request intake and technical suppression.
4. This is also the second major connected-vehicle case from the same CalPrivacy review. The Honda case in 2025 suggests that the agency sees automotive and connected-product ecosystems as a high-value testing ground for privacy rights execution.

What most privacy teams miss: Web and app data flows must be audited

Here are a few essential learnings from this, as a guideline for what teams need to understand.

• Many teams assume that having a consent banner and a CMP is enough. 
• The real question is whether tags, pixels, cookies, SDKs, etc. share personal data with advertising partners when users opt out of data sharing.
• If suppression depends on a delayed email click, a CRM flag, or a manual processing queue, personal data may continue to flow in the meantime.
• Ford is a clean example of why privacy rights must be connected to runtime systems, not just intake forms.

What does Ford need to do now?

Ford now needs to make changes that align its opt-out flow with the order and the CCPA’s low-friction expectations.

Here is what Ford needs to do now:

1. Pay $375,703 within 30 days of the decision’s effective date (February 27, 2026).
2. Provide opt-out methods that are easy and require no unnecessary extra steps.
3. Stop requiring verifiable consumer requests for opt-out of sale or sharing.
4. Honor submitted opt-out requests to the extent Ford can do so within the required CCPA time period.
5. Audit tracking technologies on Ford.com and other digital assets, including cookies, web beacons, and pixels, to ensure opt-out preference signals like GPC are honored where required.
6. Confirm completion of those actions with the California Privacy Protection Agency Board in 90 days.

What to audit now before your opt-out flow becomes an enforcement issue

Here is an actionable checklist for privacy teams. It can help you assess whether your company is exposed to the same kind of enforcement risk seen in the Ford and Honda matters, even outside the automotive industry.

• Submit your opt-out form or consent banner and test what personal data is still shared., 
• Check whether any email verification, account login, OTP, or “confirm identity” language appears in opt-out of sale/sharing workflows.
• Trace whether cookies, pixels, web beacons, or SDKs continue firing between request submission and final workflow completion.
• Test GPC or other opt-out preference signals across homepage, logged-in areas, checkout, account pages, and mobile app/webview surfaces.
• Map each opt-out request path to actual technical suppression points in tag managers, consent tools, CDPs, ad platforms, and connected-service backends.
• Compare website and app rights flows. Ford’s case covered digital properties and connected vehicle services, which is exactly where fragmented controls can break.

How Privado AI continuously audits websites and apps to ensure privacy compliance

Privado AI offers the most comprehensive web and mobile app privacy auditing solutions: 

Web Auditor:

• Simulates user journeys and consent states on live sites.
• Detects cookies, pixels, web beacons, and downstream data flows.
• Verifies whether reject, opt-out, and GPC states actually suppress sharing.
• Produces evidence that teams can use internally with engineering and compliance.

App Auditor:

• Scans iOS and Android app files and simulates user activity..
• Discovers SDKs, permissions, and third-party data flows.
• Tests consent behavior across app experiences.
• Surfaces mobile-specific leakage and reporting drift.

Request a free website scan to check for privacy risks today!