Opt-Out Without Verification: CCPA Form Design That Doesn't Get You Fined

There is one category of CCPA violation that the California Privacy Protection Agency has now fined in two separate cases: requiring identity verification before processing an opt-out request. Honda paid $632,500 in March 2025 with this as one of the findings. Ford paid $375,703 in March 2026 with this as the primary finding. The pattern is specific enough, and the enforcement is consistent enough, that opt-out form design is now a distinct compliance discipline, separate from banner design.

This post is the operational guide to that discipline. It is written for the product managers, privacy engineers, and in-house counsel who own the "Do Not Sell or Share" webform, the authorized agent flow, and the downstream systems that process opt-out requests. The goal is a form that scopes the opt-out correctly, collects no more data than the law requires, and is auditable against the Cal. Civ. Code § 1798.120(d) standard.

TL;DR. Under CCPA, the right to opt out of sale or sharing is not a verifiable consumer request. A business cannot require identity verification before processing it. The compliant form scopes the opt-out to the smallest identifier needed (browser cookie, session, or account ID if the user is logged in), applies within 15 business days, and propagates to every downstream ad-tech and data flow. The Honda fine was on an eight-field form. The Ford fine was on a one-field email verification. Both lost. The fix is a two-field form (California-residency attestation + scope selector), or zero visible fields if the CMP handles the identifier implicitly.

The statutory foundation

Three provisions carry the weight here. Reading them together makes the rule obvious.

Cal. Civ. Code § 1798.120(a): "A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information." The right is unconditional.

§ 1798.120(d): "A business shall not require a consumer to create an account or provide additional information beyond what is necessary in order to direct the business not to sell or share the consumer's personal information." This is the provision Honda and Ford were fined under. "Additional information beyond what is necessary" is the operative phrase, and as the enforcement record now shows, the CPPA reads "necessary" narrowly.

§ 1798.140(y): defines "verifiable consumer request" and applies it to access, deletion, and correction requests, not opt-outs. The CCPA's structural choice is clear: verification is appropriate where the risk of impersonation is high (access to data, irreversible deletion) and not appropriate where the action is low-risk and reversible (opting out of data sharing).

The regulations layer on top of this statutory scheme. 11 CCR § 7026 requires at least two designated methods for submitting opt-out requests and explicitly prohibits requiring a verifiable consumer request. 11 CCR § 7004(a)(5) requires that the opt-out method be "easy to execute." The CPPA's Enforcement Advisory 2024-02 on dark patterns ties these together: friction in the opt-out process that "substantially subverts or impairs user autonomy, decisionmaking, or choice" is a dark pattern, and consent or compliance obtained through a dark pattern is void.

The Honda form: eight fields

The Honda opt-out webform, according to the CPPA settlement order, required consumers to provide eight data elements before it would process an opt-out request. Honda's framing was that this information was needed to verify the consumer. The CPPA rejected the framing and fined Honda on two grounds that matter here:

1. The form required "additional information beyond what is necessary" in violation of § 1798.120(d).
2. The form's verification barrier effectively required a verifiable consumer request, which § 1798.145 and the implementing regulations forbid for opt-outs.

CPPA Deputy Director Michael Macko, announcing the settlement, explained the Agency's view: "We'll tally fines based on the number of violations." The $632,500 aggregate fine reflects Honda counting as a violation per affected consumer, not a single procedural violation.

Reference: CPPA Honda announcement, March 12, 2025; Honda settlement order PDF.

The Ford form: one field

If Honda's eight-field form was the upper bound of what triggers enforcement, Ford's form in March 2026 established the lower bound. Ford's opt-out process required the consumer to provide an email address and respond to a verification email before the opt-out was processed. A single field.

The CPPA's framing is worth quoting. The Agency's announcement on privacy.ca.gov characterized Ford's email-verification step as "unnecessary friction" and ordered, as part of the settlement, an audit of every tracking technology on Ford's properties (cookies, beacons, pixels, SDKs) for GPC handling.

The principle the Ford case establishes: even minimal verification is too much verification. If your opt-out form asks for any identifier for the purpose of confirming who the consumer is (rather than scoping the opt-out), you are in the Ford pattern.

There is a subtle distinction worth getting right. Asking for an identifier to scope the opt-out (e.g., "which email address did you provide us, so we can opt out the correct account record") may be defensible if framed correctly and if the form accepts the request even when the identifier cannot be matched. Asking for an identifier to verify that the person submitting the form is actually that consumer (e.g., sending a confirmation email that the consumer must click before the opt-out is honored) is the prohibited pattern.

The compliant form: two fields, or zero

What does a defensible opt-out form actually look like? Based on the regulation text and the enforcement record, there are two viable patterns.

Pattern A: The two-field form

For most businesses without a universal CMP that handles opt-out implicitly, a two-field form is the right answer:

1. California residency attestation. A checkbox: "I am a California resident" or "I am submitting this request on behalf of a California resident." This is the only jurisdictional scoping field needed, and it is defensible because CCPA rights belong to California residents specifically.

2. Scope selector. A radio or checkbox: "This opt-out applies to: [ ] this browser/device [ ] my account (optional: account identifier)." For logged-in users, the account identifier can be pre-filled. For anonymous users, "this browser/device" is the default and the opt-out is written to a first-party cookie on the root domain.

That is the entire form. Submit button, then immediate confirmation that the opt-out has been processed. No email verification. No CAPTCHA (which some regulators have also flagged as friction). No required account creation.

Pattern B: The zero-field form

For businesses running a modern CMP end-to-end, the form can effectively be zero fields. The CMP identifies the browser or session by its first-party cookie, writes the opt-out preference to the user's identity record (or to a browser-scoped preference for anonymous users), and displays a confirmation. The user clicks "Opt out of sale and sharing" and it is done.

This is the pattern most large CMPs (OneTrust, Cookiebot, Didomi, Usercentrics, CookieYes) support, and it is the one that minimizes legal risk. It also satisfies the frictionless-processing standard under 11 CCR § 7025(f), which can relieve the business of the separate "Do Not Sell or Share" link requirement.

What you can and cannot ask for

The regulation does not give a closed list of fields that are permitted. It gives a standard ("additional information beyond what is necessary") and the CPPA has enforced it consistently. The practical line is:

Permitted (if genuinely needed to scope the opt-out):

• California residency attestation
• Identifier to scope the opt-out (account ID for logged-in users, browser cookie for anonymous, usually captured implicitly)
• Check whether the request is from the consumer or an authorized agent

Not permitted:

• Email address for verification
• Phone number for verification
• Account creation
• ID upload or government document
• Notarization or witness
• Confirmation email that must be clicked to complete the opt-out
• CAPTCHA that prevents automation in a way that disadvantages legitimate consumers
• Required phone call or human-in-the-loop approval step

Gray area:

• Account number or customer ID to scope the opt-out, if the form still accepts the request even when the identifier cannot be matched. Defensible if the framing is correct.
• California ZIP code if part of a residency attestation. Probably fine. Not recommended.

The authorized agent wrinkle

CCPA permits consumers to submit rights requests through an authorized agent. The classic example is services like Permission Slip from Consumer Reports that mass-submit opt-outs on behalf of users. The regulation here is 11 CCR § 7063, and Honda was fined in part for getting this wrong.

The permitted verification for agent-submitted requests:

• Written permission from the consumer to the agent (the agent can attest to having this)
• The consumer's identity, only if the request is access/deletion/correction (not opt-out)

The prohibited verification (Honda pattern):

• Requiring the underlying consumer to re-verify themselves after the agent submits
• Requiring the agent to produce additional proof beyond the written-permission attestation

For opt-outs specifically, an authorized agent request should be honored with only the agent's attestation that they have written permission. No additional verification of the underlying consumer is needed, because the opt-out does not require a verifiable consumer request in the first place.

The downstream discipline: what happens after the form submit

An opt-out form that meets the CCPA standard but does not actually stop the data flows is not a compliant opt-out. The Healthline case (July 2025, $1.55M, AG announcement) and Disney case (February 2026, $2.75M, AG announcement) both involved opt-outs that technically processed but failed to stop downstream sharing. Form design is necessary but not sufficient.

The operational requirements once the opt-out is recorded:

Within 15 business days (§ 1798.135), the business must cease selling and sharing the consumer's personal information. In practice that means:

1. Client-side tags. Meta Pixel, Google Ads, TikTok Pixel, LinkedIn Insight, and any retargeting cookies must not fire with identifiable data for that user. If the CMP gates these tags, the opt-out state must be readable by the CMP on every pageview. The unified Google Consent Mode v2, GPC, and GPP implementation guide and the Microsoft UET Consent Mode guide cover the two most common implementations.

2. Server-side tags. If you run server-side GTM or any other server-side data-forwarding system, the opt-out state has to flow through to those pipelines. Server-side is not a workaround; the server-side tracking guide explains why.

3. Data warehouse and CDP flows. If your CDP or data warehouse forwards events to advertising destinations, those destinations have to be suppressed for opted-out users.

4. SDK flows in mobile and CTV apps. The Disney case made this explicit: any app, any device, any service associated with the user must respect the opt-out.

5. Propagation to logged-in accounts. Also from Disney: if the consumer is logged in, the opt-out propagates across every service and device where that account is recognized, not just the current browser.

The self-audit: a three-minute check

Pull up your opt-out form in a browser. Answer:

1. How many fields does the consumer fill out? If more than two, you are past the Honda threshold.
2. Does the form ask for verification (email, phone, confirmation click)? If yes, you are in the Ford pattern.
3. After submit, is there an immediate confirmation that the opt-out is processed? If "we'll process this within 15 days" language is used without the opt-out actually taking effect, that is a separate § 7025 issue.
4. Does the form accept requests from consumers who don't have an account with you? If not (account creation required), you are violating § 1798.120(d).
5. After opt-out, do Meta Pixel, Google Ads, TikTok, LinkedIn, and any retargeting cookies stop firing with identifiable data? Open DevTools Network tab to confirm.
6. For an authorized agent request, does the flow require the underlying consumer to re-verify? If yes, you are in the Honda agent pattern.

Each "yes" (to the failing condition) maps to a fine that has already been levied on a specific company in 2025 or 2026.

The consent-management platform question

Many of the businesses that run afoul of these rules do so because the CMP they purchased has default opt-out flows that are not actually CCPA-compliant out of the box. Honda's implementation was on OneTrust (per secondary analysis of the settlement order; see TrueVault's detailed analysis). The CMP is a tool; the compliance obligation stays with the business.

Questions to ask your CMP vendor, with the enforcement record as the reference:

• Does the opt-out flow default to no verification, or does it require email/phone/account by default?
• Does the CMP honor GPC end-to-end (browser signal → CMP state → tag suppression → GPP string update)?
• Does the CMP support propagating opt-outs to a server-side identity store for logged-in users?
• Does the CMP ship an in-app SDK for mobile and CTV apps with an in-app opt-out UI?
• Does the CMP's default Authorized Agent flow require underlying-consumer re-verification?

If the answer to any of these is "not out of the box" or "that's a configuration you need to make," that is the configuration you need to make.

FAQ

Can I require a California ZIP code to confirm residency?

The regulation doesn't explicitly prohibit it, but the safer pattern is a self-attestation checkbox. Requiring a ZIP adds a data field the consumer has to provide, and the residency attestation carries the same legal weight without collecting additional personal information. The spirit of § 1798.120(d) leans toward minimal collection.

If the consumer isn't logged in, how do I know which account to opt out?

You often don't, and that's fine. For anonymous browsers, the opt-out scopes to the first-party cookie on the browser. The CCPA does not require you to opt out every possible account that consumer might have with you. The scope is what the consumer can actually direct. For logged-in contexts, scope to the account. For anonymous contexts, scope to the browser/device. This is 11 CCR § 7025(c) read together with the minimum-scope language.

Can I send an email confirmation after the opt-out is processed?

Yes, as long as the opt-out is already processed and the email is confirmation, not verification. A confirmation email that says "we have opted you out, thank you" is fine and is actually useful for compliance records. An email that requires the consumer to click a link to complete the opt-out is the Ford pattern and is prohibited.

Does a CAPTCHA count as impermissible friction?

The CPPA has not fined anyone specifically on CAPTCHA, but the dark-patterns advisory leans against it. The CPPA's framing is that friction in the opt-out process that "substantially subverts or impairs user autonomy" is a dark pattern. A CAPTCHA that disadvantages screen-reader users or that pops an interstitial before an opt-out can be submitted is plausibly such friction. Most compliant implementations skip CAPTCHA on opt-out forms and rely on rate limiting at the server level.

How fast does the opt-out need to take effect?

Within 15 business days per § 1798.135. In practice, modern CMPs process opt-outs client-side immediately (the relevant cookies are cleared, the tag-gating state is updated, the GPP string is regenerated) and then propagate to server-side systems within the same session or within a short background job. Fifteen days is the statutory ceiling, not the target.

What about authorized agent requests specifically?

Accept the agent's attestation that they have the consumer's written permission. Do not require the consumer to re-verify after the agent submits. Honda was fined specifically on this pattern. The regulation is 11 CCR § 7063.

Is a "Do Not Sell or Share" link in the footer enough, or do I also need a webform?

The link is required if you sell or share personal information. Clicking the link should either immediately opt the consumer out (the frictionless pattern) or route to a form that processes the opt-out. If you process opt-out preference signals frictionlessly under § 7025(f), you can be relieved of the separate link requirement, but most businesses still implement both for defensibility.

Where to go from here

If your current opt-out form has more than two fields, or if it requires any verification step, it is the fastest compliance fix you can make this quarter. The CPPA has now fined on this pattern twice in twelve months. The fix is a UI change and a backend wiring change; the math on what not fixing it costs is simple.

For the full CCPA banner spec, see our CCPA Cookie Banner Requirements pillar. For the broader enforcement context, see the Honda, Ford, and Disney case study. For CPRA-specific provisions, see CCPA vs CPRA: Key Differences.

If you want a second set of eyes on your current opt-out form and the downstream tag-suppression flow, Consenteo's team has built and audited this exact layer on 200+ corporate sites across major jurisdictions. Get in touch and we'll review your current implementation against the enforcement patterns in this post.