Ford Got Fined $375K for Making It Hard to Say "Stop Tracking Me"

Why Email Verification Crosses the Line

Under California Civil Code Section 1798.120, consumers have an absolute right to opt out of the sale or sharing of their personal information. The CCPA's Opt Out Rule is explicit: businesses must "honor opt out requests if they can comply with the request without requesting additional identifying information."

The CPPA drew a critical distinction. When someone asks to delete their data or access their records, identity verification makes sense—you need to confirm the right person is making the request. But opting out of tracking is different. If a consumer says "stop selling my data," the company already has everything it needs to comply. Adding a verification step serves only one purpose: making it harder for people to follow through.

The numbers prove the point. Every friction step in an opt out flow causes a significant percentage of users to abandon the process. A confirmation email that lands in a spam folder, gets overlooked, or simply feels like too much effort effectively converts a privacy request into a non event—exactly what the business wants.

What Ford Must Do Now

Beyond the fine, the CPPA required Ford to:

• Process all previously ignored opt out requests—every submission that was discarded because the user did not click the confirmation link
• Implement compliant opt out methods that work without requiring identity verification
• Audit all tracking technologies on its website to ensure they respect opt out signals
• Honor opt out preference signals such as the Global Privacy Control (GPC) browser setting

Your Car Knows More Than You Think

The Ford case is part of a broader reckoning with how much data modern vehicles collect. Connected cars gather GPS location histories, driving behavior, speed patterns, braking habits, infotainment usage, voice commands, phone contacts synced via Bluetooth, and even cabin camera footage in some models.

Automakers share this data with insurance companies, advertising networks, and data brokers through embedded SDKs and telematics partnerships. Honda received a similar CCPA fine—roughly double Ford's amount—for comparable violations, signaling that the CPPA is systematically targeting the auto industry's data practices.

The Dark Pattern Playbook

Ford's tactic is far from unique. Many companies deploy friction in their opt out flows to suppress completion rates:

• Confirmation emails that must be clicked within a time window
• Multi step forms requiring account creation just to submit a privacy request
• Phone calls as the only available opt out method, forcing users to navigate automated menus
• Misleading language that warns of "reduced functionality" if you opt out
• Delayed processing that takes 45 days while tracking continues

The CPPA's enforcement against Ford signals that regulators are treating these tactics as deliberate obstruction, not mere design choices. Companies that make it easy to sign up for data collection but hard to opt out are increasingly likely to face penalties.

What This Means for Consumers

If you have ever submitted a privacy opt out request and been asked to "confirm your email" or "verify your identity" first, the company may be violating your rights under the CCPA. California residents can file complaints directly with the CPPA at privacy.ca.gov.

For everyone else, the Ford case is a reminder that opting out should be as easy as opting in. When it is not, that is usually by design—and regulators are finally starting to treat it that way.