The Honda, Ford, and Disney CCPA Cases: What Every Cookie Banner Designer Must Learn

Between March 2025 and March 2026, the California Privacy Protection Agency and the California Attorney General together announced three settlements that should end the debate about what a CCPA-compliant cookie banner and opt-out flow looks like. American Honda paid $632,500 in March 2025. The Walt Disney Company paid $2.75M in February 2026, the largest CCPA settlement in history. Ford Motor Company paid $375,703 in March 2026. The cases target different layers of the consent stack, but read together they are a design specification for anyone who owns the banner, the preference center, or the opt-out form.

This post works through what each regulator actually said, what was wrong with each company's implementation, and what the specific lesson is for privacy engineers, product managers, and legal teams responsible for consent UX on their own sites. If you want the broader guide to CCPA banner requirements, that lives in our CCPA Cookie Banner Requirements pillar. This post is about what the enforcement record teaches.

TL;DR. Three lessons, one per case. Honda: first-layer asymmetry (Accept All vs. Manage Preferences) is a dark pattern under 11 CCR § 7004(a)(2), and opt-out forms cannot require identity verification. Disney: an opt-out that applies only to the device that sent it, or only to your own ad platform, is not an opt-out. Logged-in users need cross-service, cross-device propagation. Ford: requiring an email for verification before processing an opt-out is "unnecessary friction" and will trigger an audit of every cookie, beacon, pixel, and SDK on your properties. Each finding has a concrete fix, and the three together cover most of the real banner failures in production today.

Case one: American Honda, March 2025

American Honda Motor Co. was the first company fined by the California Privacy Protection Agency after the Agency took over enforcement alongside the Attorney General. The CPPA's March 12, 2025 announcement laid out a settlement order for $632,500 and injunctive relief. The findings cluster into three banner-relevant issues.

Finding one: asymmetrical first-layer choice. Honda's cookie banner offered an "Allow All" button in one click. To refuse, the consumer had to click through to a secondary "Manage Preferences" screen and toggle individual categories off. The CPPA cited this as a violation of 11 CCR § 7004(a)(2), which requires that "the path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option." The regulation even gives the specific example that matches Honda's implementation verbatim: a banner with "Accept All" and "Preferences" is not equal or symmetrical.

CPPA Deputy Director Michael Macko, announcing the settlement, said: "The remedy should fit the problem behavior. We won't hesitate to use our cease-and-desist authority to change business practices, and we'll tally fines based on the number of violations." That "tally fines based on the number of violations" is the sentence product managers need to understand. The CPPA counts violations on a per-consumer-affected basis for many findings. A single banner flaw on a site with substantial California traffic can compound into seven figures fast.

Finding two: excessive data collection on the opt-out webform. Honda's "Do Not Sell or Share" webform required consumers to provide eight data elements before it would process an opt-out request, even for unverified opt-outs. Cal. Civ. Code § 1798.120(d) forbids requiring a verifiable consumer request for an opt-out specifically. The logic is that opt-out is a low-risk action (the business just stops selling/sharing) and the friction of verification is disproportionate to the risk.

Finding three: authorized agent self-verification. CCPA permits a consumer to use an authorized agent to submit rights requests on their behalf. Honda required the underlying consumer to self-verify before Honda would honor an agent's request. That inverts the statutory design and was cited as a separate violation.

What Honda teaches a banner designer

1. The first layer must be symmetrical. Two buttons, equally prominent, equal click distance. "Accept All" and "Reject All" (or semantically equivalent). "Manage Preferences" is fine as a third button or a text link but cannot substitute for "Reject All."

2. The opt-out webform, if you have one, should collect only what's strictly needed to scope the opt-out. Usually that's a California-residency attestation and some identifier to scope the opt-out to a browser, device, or account. Not eight fields.

3. Authorized agent flows are a separate engineering consideration. Do not route agent requests through the same verification step you apply to deletion or access requests. CCPA treats them differently.

The Honda order PDF is at cppa.ca.gov/regulations/pdf/20250307_hmc_order.pdf. If you own a banner or preference center, reading the order cold is worth thirty minutes.

Case two: The Walt Disney Company, February 2026

Disney's $2.75M settlement is the largest CCPA action to date. The California Attorney General's February 11, 2026 announcement is the primary source. Three findings dominate, and all three are about scope of the opt-out.

Finding one: device-scoped, service-scoped opt-out. Disney's opt-out toggle worked on the device and service where the user submitted it. A logged-in Disney+ user who opted out in the web app did not opt out for the same Disney account on a Roku device, on Hulu, or on the Disney mobile app. This violates 11 CCR § 7025(c), which requires that for a logged-in consumer the opt-out be applied across all accounts the business has associated with that consumer.

Finding two: GPC honored only on the signal device. Disney's browser-based Global Privacy Control handling respected the signal on the specific browser that sent it but did not propagate the opt-out to the user's account across the Disney ecosystem. Again, for a logged-in consumer this does not meet the § 7025(c) standard.

Finding three: CTV apps lacked in-app opt-out, and the webform only blocked Disney's own ad platform. Connected TV users had no in-app mechanism to opt out. The webform, which was the alternative, stopped sharing with Disney's first-party ad-tech but continued flowing to third-party partners. The CCPA's "sale or sharing" definition (see Cal. Civ. Code § 1798.140(ad) and (ah)) covers both, so the webform's narrow scope was itself the violation.

AG Bonta captured it memorably: "Consumers shouldn't have to go to infinity and beyond to assert their privacy rights." The settlement also imposes a 3-year monitoring period, which is the real cost Disney will absorb over time beyond the cash fine.

What Disney teaches a banner designer

1. Opt-out is identity-scoped, not device-scoped, for logged-in users. Persist the opt-out against the user account and propagate across every service, device, and app where that account is recognized. If you run a streaming product, a subscription service, or any logged-in experience, the opt-out in the web app must also suppress sharing from the CTV app signed in to the same account.

2. CTV and mobile apps need an in-app opt-out. "Go to our website" is not an acceptable substitute when the primary channel is an app. This specifically applies to logged-in contexts where you can persist a user-level preference.

3. The opt-out must actually stop downstream sharing. Audit the tag firing logic. If the opt-out stops your own ad platform but lets Meta Pixel, Google Ads, or TikTok pixels continue firing with identifiable data, the opt-out is incomplete as a matter of law. The Healthline case (July 2025, $1.55M, AG announcement) made the same point a year earlier: it is not enough to route the request; the underlying data flows have to actually stop.

4. Plan for a 3-year monitoring tail on any settlement. The Disney order requires ongoing compliance reporting. Whatever you ship to fix these issues, it needs to be auditable for years, not just live.

Case three: Ford Motor Company, March 2026

Ford was a narrower finding than Honda or Disney but with broader operational implications. The CPPA's March 2026 announcement on privacy.ca.gov established the "unnecessary friction" standard in plain language.

The finding. Ford required an email address for verification before it would process an opt-out request. The CPPA called this "unnecessary friction" in violation of Cal. Civ. Code § 1798.120(d), the same provision cited against Honda a year earlier. The distinguishing feature of the Ford case is the remedy: Ford agreed to audit every tracking technology on its properties (cookies, beacons, pixels, SDKs) for GPC handling and to report the results. That audit obligation is now the baseline injunctive remedy the CPPA will reach for in similar matters.

What Ford teaches a banner designer

1. Do not collect identity data for opt-outs you do not need to verify. The pattern to avoid: opt-out form that asks for email, name, or account identifier before processing. The correct pattern: opt-out routes through the existing CMP identifier (browser cookie, device ID) for unauthenticated users, or through the session/account for logged-in users. No verification step.

2. Expect a full tracking-tech audit if you are enforced against. Even if your fine is relatively small, the downstream cost of auditing every pixel, every SDK, and every server-side integration for GPC compliance is significant. Doing the audit proactively is cheaper than doing it under CPPA order.

The pattern across all three

Strip away the company-specific details and the three cases converge on one design principle: the opt-out has to be genuinely frictionless in both the UX layer and the downstream-data layer, and the scope of the opt-out has to match the scope of the identity.

At the UX layer, that means:

• Symmetrical first-layer choice on the banner (Honda)
• No verification required for opt-out requests (Ford)
• No excessive form fields on the opt-out webform (Honda)
• In-app opt-out for CTV and mobile apps (Disney)

At the data layer, that means:

• The opt-out actually stops the tags firing, not just Disney's own ad platform (Disney, Healthline)
• The scope propagates across all services and devices for logged-in users (Disney)
• GPC detection works end-to-end (Sephora, Healthline, Ford, Disney all had GPC findings)
• Every tracking technology is inventoried and audited for consent handling (Ford)

A self-audit you can run this week

Pull up your own site and the opt-out flow. Walk through it as if you were a regulator. Answer the following:

1. First-layer choice. Is there a "Reject All" or "Decline All" button of exactly the same visual weight and click distance as "Accept All" on the first layer of the banner? If the choice is "Accept All" vs. "Manage Preferences," you are in the Honda pattern.

2. GPC detection. Open Firefox or Brave with GPC enabled and visit your homepage. Does the site detect the signal? Does it render a visible confirmation that the signal was honored (required under the new § 7025(c)(6) rule effective January 1, 2026)? Does every analytics and ad tag subsequently respect the opt-out? A deeper walkthrough lives in our Global Privacy Control explainer.

3. Opt-out webform fields. Look at your "Do Not Sell or Share" form. Count the required fields. If there are more than two or three, and if any of them are "verification" fields like email or phone, you are in the Honda or Ford pattern.

4. Logged-in user propagation. If you have a logged-in experience, test: log in on web, submit an opt-out, then access your account on a mobile app or CTV device. Does the opt-out carry across? If not, you are in the Disney pattern.

5. Downstream data flow. After opting out, open the developer tools Network tab. Do Meta Pixel, Google Ads, TikTok, LinkedIn Insight, or any other third-party ad-tech pixels still fire with identifiable data? If yes, the opt-out is cosmetic and you are in the Healthline and Disney pattern.

6. CTV and mobile app parity. If you have a CTV app, mobile app, or both, is there an in-app opt-out, or does the app redirect to a webform? If redirect-only, you are in the Disney pattern.

Any "yes" answer to the failing conditions above corresponds to at least one of the three settlements covered in this post. The fines for each case were between $375,000 and $2.75M. Fixing the pattern in code costs a sprint.

What this means for consent architecture

The enforcement pattern forces one conclusion about how CCPA compliance should be built: treat the opt-out as an identity-scoped durable preference, not a device-scoped transient state.

In practice that means:

• The opt-out state should live in your identity layer, not in a first-party cookie on the current browser.
• When a user opts out while authenticated, that preference should be written to their account record and read by every service, device, and app on access.
• For unauthenticated users, the opt-out should live in a first-party cookie scoped to the root domain, and it should propagate to subdomains.
• Every outbound tag, whether client-side or server-side, whether first-party or third-party, should read that preference before firing.
• Server-side GTM is not a workaround. The CCPA's "sale or sharing" definition covers any transfer to a third party, whether the transfer happens in the browser or on your server. The server-side tracking guide walks through why this matters.

If your current implementation is a cookie banner wired to a few client-side tags with no account propagation, you have technical debt. The Disney case is the specific argument for why it is no longer optional to pay it down.

FAQ

Did these three cases change the CCPA, or just enforce the existing law?

They enforced the existing law, but they are the first high-profile cases that translate the regulation's abstract language (symmetrical choice, frictionless opt-out, opt-out scope) into specific banner and form patterns. The regulation text (11 CCR §§ 7004, 7013, 7025, 7026) was already in place. The cases gave the industry a set of concrete, litigated examples of what non-compliance looks like.

Is the Honda pattern (Accept All vs. Manage Preferences) really non-compliant?

Yes, under 11 CCR § 7004(a)(2). The regulation explicitly cites this exact pattern as an example of an asymmetrical choice. The CPPA fined Honda $632,500 on this finding and related ones. Any site still running this pattern is running a cited dark pattern.

What about "Accept All" vs. "Reject All" vs. "Customize"? Is three buttons fine?

Yes, as long as all three are equally prominent and on the first layer. The symmetry requirement is about the two primary choices (accept vs. reject) being equally accessible. A tertiary "Customize" or "Manage Preferences" is permitted and often useful for the subset of users who want granular control.

Can I require identity verification for access or deletion requests?

Yes. The CCPA distinguishes between opt-out (low-risk, no verification) and access/deletion (higher-risk, verifiable consumer request required under § 1798.140(y)). The Honda and Ford findings were about verification for opt-outs, specifically.

How should I propagate opt-outs to my mobile and CTV apps?

Persist the opt-out against the user account in your identity service, not against a device identifier. When any client (web, mobile, CTV, connected device) authenticates, read the opt-out flag from the account record. For anonymous contexts in CTV or mobile, implement an in-app opt-out UI that writes to the device-local state and, when the device is later associated with an account, promotes that state to the account.

Does the Disney monitoring period set a precedent?

Yes. Three years of ongoing compliance reporting is now a realistic expectation for CCPA settlements of any material size. The operational cost of a settlement extends well beyond the cash fine. This is an argument for fixing these issues proactively rather than under settlement.

What's the single biggest mistake sites are still making in 2026?

The Honda pattern: an "Accept All" button on the first layer paired with "Manage Preferences" as the only alternative. The Honda case was in March 2025. A year later, informal surveys of US-facing websites suggest 30-50% of sites still run this pattern. If yours is one of them, that is the first fix.

Where to go from here

If your banner is one of the patterns described above, the single highest-leverage change is to replace the first-layer choice with symmetrical "Accept All" and "Reject All" buttons, and to wire GPC handling end-to-end across both client and server. Everything else (preference center redesign, account-level propagation, CTV app opt-out, downstream tag audit) follows from that foundation.

For the complete CCPA banner spec and the full enforcement table (eleven actions, $10M+ in fines across 2022 to 2026), see the CCPA Cookie Banner Requirements pillar. For the CPRA-specific provisions that changed the landscape in 2023, see CCPA vs CPRA: Key Differences. For the operational audit framework, see CCPA Audit Essentials.

If you want a second set of eyes on your current implementation before the CPPA gets to it, Consenteo's engineering team has implemented consent management on 200+ corporate sites globally and seen most of these failure modes in production. Get in touch and we'll walk your banner and opt-out flow cold.