CCPA Audit Kit by ZioSecurity
Blog / Enforcement News
Enforcement News

CPPA Fines Ford $375,703 for Opt-Out Verification Friction

March 5, 2026 · 8 min read

The fastest way to get on the CPPA’s radar is to treat opt-out like a verified identity request.

On March 5, 2026, the California Privacy Protection Agency (CPPA) Board issued a formal decision against Ford Motor Company and imposed a $375,703 fine. The core allegation was simple: Ford required consumers to complete an email verification step before opt-out requests would be processed, and requests without verification were not acted upon.

If you run a consumer site or app, you should read that as a product requirement, not a legal footnote. Under the CCPA, opt-out requests are non-verifiable. They are preference signals. When a business adds extra steps like email verification, it is not “protecting consumers.” It is adding friction, and the CPPA is explicitly treating that friction as a compliance failure.

Email inbox on a screen representing verification friction
If opt-out requires an extra step in email, many people will never complete it. That is exactly why regulators call it friction.

What the CPPA said Ford did wrong

Based on the CPPA’s March 5, 2026 decision, Ford’s opt-out process had a gate: consumers had to verify their email before Ford would process the request. If the verification step was not completed, the request was essentially ignored.

This is the opposite of what the statute and regulations are trying to accomplish. The point of an opt-out is that a consumer can communicate a preference quickly and have it honored. An opt-out is not a request for sensitive account data. It is “stop doing this processing.”

The legal point that matters: opt-out is non-verifiable

Businesses sometimes copy and paste the identity verification mindset from access and deletion requests into opt-out. That is the mistake.

For access and deletion requests, there is at least a coherent reason to verify identity. You are about to disclose or delete personal information. Verification is about preventing the wrong person from getting data or causing harm.

Opt-out is different. Opt-out is a preference signal. Under the CCPA, it is treated as a non-verifiable request. You do not get to impose identity verification steps that functionally reduce the number of opt-outs you actually honor.

Email verification is friction. It introduces delay, confusion, and drop-off. It also creates a very clean enforcement fact pattern because it is easy to test: submit the opt-out, do not click the verification email, and see whether the business honors the request. In Ford’s case, the CPPA found that the requests were not processed without verification.

What the order required Ford to do

The fine is real, but the remediation is what should make compliance teams pay attention. The decision required Ford to:

  • Pay the $375,703 fine.
  • Process all previously ignored opt-out requests. That is painful and expensive because it forces you to reconcile historical records and re-run workflows you treated as incomplete.
  • Provide low-friction opt-out methods. Opt-out cannot be a multi-step obstacle course.
  • Audit tracking technologies on its website. If your tag inventory is incomplete, you cannot confidently claim you honor opt-outs.
  • Honor opt-out preference signals, including Global Privacy Control. This is not optional. If your site is not respecting preference signals, you are inviting the same kind of testing that triggered this order.

Want to know if your opt-out flow is legally “low friction”?

Our free assessment flags the common failure modes: verification gates, broken preference signals, and opt-out links that do not actually stop targeted advertising and sharing.

Take the Free Assessment

Context: this is part of a broader connected vehicle sweep

This Ford decision did not come out of nowhere. It was part of the CPPA’s broader sweep of connected vehicle manufacturers. It is the same initiative that produced the CPPA’s $632,500 enforcement action against Honda.

Separate from the CPPA’s work, the California Attorney General has also been active. The Attorney General recently secured a $2.75 million civil penalty, described as the largest CCPA settlement to date, for failure to implement opt-out rights across properties.

Put those together and the direction is clear. Regulators are not just looking for a link in the footer. They are testing whether opt-out works across brands, domains, and products, and whether the workflow creates friction that deters consumers.

Practical takeaways: what to fix before a regulator tests your site

If you own privacy compliance, you should treat opt-out like a functional requirement with acceptance criteria. Here is the short list I recommend most businesses run through. It is intentionally concrete because enforcement is concrete.

1) Remove verification from opt-out workflows

If your opt-out requires any of the following, you are taking risk you do not need:

  • email verification
  • SMS verification
  • account login
  • “confirm your request” links that must be clicked before anything changes

Your opt-out method can collect information needed to effect the request, but it should not condition processing on identity verification. The CPPA has now made that enforcement-grade.

2) Test Global Privacy Control like an auditor would

Turn on Global Privacy Control in a browser and visit your site with a clean profile. Watch what loads. If tracking technologies tied to cross-context behavioral advertising still fire, you are not honoring the signal.

Then document it. Screenshots, tag logs, and a short test memo are the difference between a fast remediation and a months-long scramble later.

3) Audit tracking technologies before you “certify” opt-out behavior

The Ford order included an obligation to audit tracking technologies on Ford’s website. That requirement shows the CPPA’s mindset: you cannot honor opt-out if you do not know what is on the page.

At a minimum, you should be able to answer:

  • Which third parties receive data through tags, pixels, SDKs, and embedded content?
  • Which of those are tied to advertising or cross-context behavioral advertising?
  • What changes when a consumer opts out or sends a preference signal?

Most businesses are surprised by what they find. That surprise is exactly what turns into “we did not honor the request” when enforcement starts.

4) Make “low friction” measurable

In practice, low friction means:

  • one path to opt out that does not require creating an account
  • a clear success state that does not rely on email follow-up
  • preference signals honored automatically, without additional prompts

If your process does not meet that standard, fix it now. Waiting until you receive an investigative inquiry is the most expensive way to learn the same lesson.

If you want a repeatable way to test this

The CCPA Audit Readiness Kit includes opt-out workflow test scripts, tag inventory templates, and evidence packs you can hand to counsel or an auditor.

Get the Complete Kit - $497

My take: opt-out friction is now a primary enforcement trigger

Ford did not get fined for missing a checkbox. They got fined for a workflow design decision that predictably reduced opt-outs. That is what “email verification” means in this context.

If you want to stay out of the next enforcement wave, stop thinking like a data broker and start thinking like a regulator. When a consumer opts out, your job is to honor the preference quickly and reliably, and to honor preference signals like Global Privacy Control without making the consumer fight you.

Source: CPPA Board decision (March 5, 2026) described above.