An Important Privacy Law Reminder for Dealers
California’s privacy regulator just fined Ford Motor Company $375,703 for doing something that sounds almost reasonable on its surface: asking consumers to verify their email before processing an opt-out request. But here’s the thing we’ve been saying for years: under the CCPA (and many other state privacy laws as well), consumer privacy requests like opt-outs are non-verifiable requests. Unlike a deletion or access request, where identity verification has some logical basis, an opt-out is a preference signal, not a transaction. The law is clear that businesses cannot add friction to the process, and email verification is friction. If your vendor built your opt-out workflow with any verification step baked in, either because they don’t know the law, or because they copied a process from another context, you’re the one at risk.
On March 5, 2026, the California Privacy Protection Agency Board issued a formal decision against Ford following a settlement with CalPrivacy’s Enforcement Division. The agency found that Ford required consumers to complete an email verification step before their opt-out requests (covering both Ford’s digital properties and its connected vehicle services) would be processed. Requests that lacked that verification step were simply not acted upon. In response to the investigation, Ford was required to go back and process all those previously ignored requests, pay the $375,703 fine, and commit to meaningful operational changes going forward: providing low-friction opt-out methods, auditing the tracking technologies on its website, and honoring opt-out preference signals, including the Global Privacy Control. The case was brought as part of CalPrivacy’s broader sweep of connected vehicle manufacturers, the same initiative that produced last year’s $632,500 enforcement action against American Honda, making clear that regulators view the auto industry as a priority target.
The lesson for auto dealers is direct and urgent: you cannot outsource your state privacy compliance to just any vendor and assume it’s handled. The details matter and working with an expert matters: your opt-out process must be simple, frictionless, and must actually honor requests, including Global Privacy Control signals. That’s not something you can set and forget with a generic vendor who doesn’t understand automotive data flows or dealer operations. It’s exactly why working with a partner like ComplyAuto, one that knows both the law and the dealership environment, isn’t a luxury, it’s the only way to ensure compliance. Contact ComplyAuto today to learn more.