Your Ford Kept Selling Your Data After You Said Stop—California Just Fined Them

What Data Connected Cars Collect

Modern connected vehicles collect an enormous volume of data about their drivers. Ford vehicles equipped with connected services can capture:

• GPS location data showing everywhere you drive, when you arrive, and how long you stay
• Driving behavior including speed, braking patterns, and acceleration habits
• Vehicle diagnostics and maintenance status
• In cabin activity from connected infotainment systems
• Phone contacts and call logs synced via Bluetooth

This data has commercial value. Automakers share it with insurance companies, advertising networks, and data brokers. When Ford ignored opt out requests, it was choosing revenue over the legal rights of its own customers.

The "Unnecessary Friction" Problem

Under the CCPA, consumers have the right to opt out of the sale or sharing of their personal information. The law specifically states that businesses cannot require consumers to create accounts or jump through unnecessary verification steps to exercise this right. An opt out request is supposed to be as easy as making it.

Ford's online privacy rights form required email verification, effectively turning a simple opt out into a two step process. CalPrivacy determined this imposed a "verifiable consumer request" standard on opt out submissions, which violates the CCPA. The law reserves verification requirements for access and deletion requests, not for opt outs.

The result: consumers who thought they had opted out were still having their data sold.

Part of a Bigger Investigation

The Ford settlement is the second enforcement action from CalPrivacy's ongoing investigation into connected vehicle privacy. The agency has been probing how automakers handle consumer data since 2023, examining whether manufacturers comply with opt out requirements and whether they properly disclose their data sharing practices.

This follows a broader pattern of escalating privacy enforcement in 2026. Nineteen US states now have comprehensive data privacy laws in effect, and enforcement agencies are increasingly targeting companies that treat opt out mechanisms as suggestions rather than legal obligations.

What Ford Must Do Now

Beyond the fine, Ford agreed to substantial operational changes:

• Go back and process all previously ignored opt out requests from consumers who did not complete email verification
• Provide low friction opt out methods that do not require account creation or email confirmation
• Audit all tracking technologies deployed on Ford's websites
• Honor opt out preference signals, including the Global Privacy Control browser setting

The Global Privacy Control requirement is significant. GPC is a browser level signal that tells every website you visit to stop selling your data. Under the CCPA, businesses are legally required to treat it as a valid opt out. Ford must now comply.

How to Protect Your Connected Vehicle Data

If you drive a connected vehicle, take these steps:

• Check your vehicle manufacturer's privacy settings and submit an opt out request for the sale or sharing of your data
• Install a browser extension that sends the Global Privacy Control signal. Under California law, companies must honor it
• Review what data your vehicle collects by requesting a copy through the manufacturer's privacy portal
• Avoid syncing your phone contacts and call history with the vehicle's infotainment system unless you need the feature
• If you are in California, file a complaint with CalPrivacy at privacy.ca.gov if your opt out is ignored