Honda Motor Co.’s $632,500 privacy deal suggests steeper fines are coming for “connected” carmakers. Few were surprised an automaker like Honda would become the first business to settle a claim with California’s privacy watchdog.
The California Privacy Protection Agency first hinted at a “connected vehicles” investigation in July 2023, the same month its enforcement authority began. The surprise? Honda’s cars had nothing to do with it.
Honda’s fine stems entirely from its website, which made it difficult for Californians to exercise their privacy rights. But the settlement leaves little doubt: Honda came in for scrutiny as part of that probe. Honda.com’s issues obscure the likeliest reason the real target—Honda’s cars—remained unblemished: Only one model in Honda’s lineup is capable of connecting to the internet on its own.
California’s short enforcement history suggests that probe still hasn’t found its poster child. So, what happens if the sweep collides with an always-online lineup like Tesla Inc.’s? Applying the math in Honda’s settlement could make a $632,500 fine look like a paper cut.
While years of litigation handcuffed the watchdog’s regulations, California’s Department of Justice enforced the state’s privacy laws. CA DOJ’s short history focused on high-impact priorities, such as restricting sales of kids’ data and forcing websites to respect automatic opt-outs from browser extensions.
Meanwhile, the CPPA tinkered with its regulations and issued enforcement bulletins, including one targeting “connected vehicle (CV) manufacturers.” When cars involve “web-based entertainment, smartphone integration, and cameras,” the July 31, 2023, bulletin said, they “often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”
Many read that as a sign the watchdog would also prioritize high-impact practices with meaningful consequences.
The Fine
Compared with the conduct alleged in the CA DOJ precedents, Honda.com’s technical compliance issues seem humdrum. But Honda’s fine is far larger by any reasonable measure.
Unlike its predecessors, the Honda settlement gives specifics about how it was calculated. Honda’s paying full-freight: $2,500 for each of the 153 people unable to exercise their rights on Honda’s website in the way California law requires. (California privacy law authorizes “up to $2,500” for each violation.)
For reasons the settlement doesn’t explain, Honda’s also paying an additional $250,000. Those components constitute about 60% and 40% of the total, respectively.
The Honda settlement reveals several reasons to suspect other automakers remain under scrutiny and could face much larger fines.
First, Honda came in for scrutiny under the connected-car sweep, even though the settlement has nothing to do with its cars. All the actual consumer harm occurred between July 1, 2023, and Sept. 23, 2023, an 83-day period bookending the “connected vehicles” bulletin.
Honda.com’s practices weren’t egregious. It used a top privacy vendor, OneTrust, to facilitate privacy requests and opt-outs of targeted ads. Honda just failed to implement those tools in the precise manner California law requires.
Second, Honda doesn’t really sell “connected vehicles.” Almost no Hondas can connect to the internet on their own.
Honda’s lineup remains affordable by skimping on the complex sensors and chipsets that make pricier cars more like computers on wheels. During the 2024–25 model years, only the Honda Prologue contained an internet radio. Prologues were 2.6% of Honda’s US sales.
Without internet radios, Hondas can’t transmit data in the automatic manner that has long concerned privacy advocates. In general, whatever data a Honda collects stays in the car.
That really sets Honda apart. As early as 2023, 86% of cars sold in the US carried 4G or 5G radios.
The Math
Imagine Honda instead admitted to the behavior the probe is focused on: failing to tell drivers how their cars collect, use, and disseminate personal information. Disclosure is the bare-minimum lodestar of all privacy laws, so it’s the lowest-hanging fruit for the watchdog’s connected-car probe.
Many cars continuously transmit GPS, speed, and acceleration data. Cars can do that whether consumers buy internet service or not. Carmakers sell the data, which is tremendously valuable to insurers in setting rates, among others.
Most consumers would find that outrageous but have no idea it’s happening. It’s often laughably hard to find out what your car collects and what your carmaker discloses. Many cars display privacy policies on infotainment screens when they’re first set up. Good luck finding them later.
In that scenario, the consumers who were harmed would include everyone who bought a Honda. Californians bought 364,541 Hondas over the 2023–2024 period the settlement covers. The actual consumer harm? $911 million. If that represented 60% of the total fine, as in the current settlement, Honda’s overall fine would reach $1.5 billion.
Only Toyota Motor Corp. and Tesla sold more cars than Honda in California in the 2023–24 period.
A shot at Tesla would make the most sense. Every Tesla includes an internet radio. Tesla also writes its software, so it’ll have a hard time defraying liability by pointing at a vendor who did.
Moreover, a splashy fine from a blue-state regulator has plenty of political runway. An April report alleged Musk’s White House role may impede Tesla’s federal liability for false and misleading statements about its cars, estimated at $1.2 billion.
Californians bought 566,441 Teslas in 2023 and 2024. How does the Honda math map to Tesla? $2.3 billion.
A fine in the billions may sound farfetched, but the watchdog arguably needs a high-profile win. Ongoing legislative discussions in Sacramento and Washington could lead to laws that threaten its purview or preempt its authority. In the past, the agency’s opposition helped kneecap federal privacy bills in 2022 and 2024.
Today, as the agency continues pushing new and ambitious AI regulations, lawmakers may be wondering whether it’s squandering its existing authority. The Honda settlement got little public attention. A single six-figure settlement may not be enough to defend its turf.
But striking out at the shadowy driver-data marketplace would demonstrate the agency has the ambition and technical chops to match its mandate. Pursuing Tesla, the bête noire of the moment, could put the agency in the driver’s seat of privacy enforcement.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Peter Jackson is counsel for Greenberg Glusker’s intellectual property group.
Write for Us: Author Guidelines
