Honda enforcement order and consumer inquiry trends

The CPPA's enforcement order against Honda offers a clear window into how California regulators evaluate opt-out compliance — not through legal analysis, but through the consumer's actual experience. Regulators are counting clicks, reading confirmation emails, and asking whether a typical person (not a privacy attorney) would understand what's happening and feel confident their request was fulfilled. The Honda case also highlights a gap many companies have: the disconnect between consent management tools handling cookie and advertising opt-outs and DSARs handling backend data. Forcing a consumer to navigate both systems for a single opt-out creates asymmetry that regulators are increasingly viewing as a dark pattern. Companies should pressure-test their own processes on multiple browsers, logged-in and logged-out, and do it periodically as websites change. On the consumer inquiry side, the privacy inbox has become more complex. Regulators have explicitly said they send inquiries there, meaning it doubles as a compliance test. But the volume of noise is significant — spam, off-topic messages, and now ChatGPT-authored legal briefs that include fabricated cases and made-up rights. The underlying pattern matters: even AI-generated complaints typically represent a real consumer with a real grievance who doesn't know how to file formally. Teams managing that inbox need judgment about prioritization and how to evaluate what's genuine. When regulators or plaintiffs go deeper, they ask about what's under the hood — deletion practices, how companies know they've addressed all relevant data, whether responses to specific questions are fully accurate. That requires companies to actually know their data environments, not just their policies. Data mapping helps significantly, but it's a resource-intensive undertaking that requires cross-functional buy-in. As enforcement headlines multiply, more companies are being asked the hard questions internally — which is gradually building the business case for the underlying infrastructure.

**Colleen:** Hi, Alyssa. How are you doing today? **Alysa:** Hi. Good to see you. **Colleen:** How's your week been so far? **Alysa:** You know, being a privacy attorney these days is just every day you're shot out of a cannon. This privacy news cycle lately is hot. One major piece of enforcement news. Right? We saw out of California, the CPPA enforcement order against Honda. **Colleen:** California, the CPPA enforcement order against Honda. It's been talked maybe to death on LinkedIn with all sorts of takes on their opt out compliance and their dark patterns. But largely, it's made me just think about how much the regulars were focused on the consumer and the the journey that the consumer would go through on that Honda website and really forces us to put ourselves in that consumer's shoes. What do you think? **Alysa:** I definitely have that takeaway. They are counting the clicks. They are looking at it through the lens of a consumer. They've gotten complaints. And what is that journey like? Where is a not a lawyer, not a privacy attorney or privacy practitioner. Are they gonna understand it? Do the words you use? Does the flow do the instructions? Is there a confirmation email? All of the action items, how would a consumer understand those and respond to that if they want to exercise their privacy rights? So I thought that was really interesting, and it makes you really wonder. Like, when was the last time you do all these things for compliance, but when did you pressure test it as a consumer? Going on different browsers, trying to do it from an app, and then do it periodically because websites get refreshed. Like, things change, and I think it really just emphasizes the constant diligence you need to do on making sure that process works as intended. **Colleen:** Absolutely. This is something we've been thinking about at Ketch last couple weeks as we saw this enforcement order and, of course, are checking with our customers, making sure deployments are okay. Something that we're really, focusing on is the importance of integration between your consent management and your data subject rights products. Right? And when it comes to opting out of sale, that potentially includes advertising data than your CMP. That potentially includes data that lives in back end systems that might typically be handled by a DSAR request. And if we're forcing a consumer to take actions in your consent manager, in your DSAR, that's that's probably gonna be asymmetrical, right, and a and a potential dark pattern if we're requiring too much of them. Are we thinking about that the right way, creating that comprehensive opt out experience across tools? **Alysa:** Well, I mean, I think what what does the consumer expect? What is the consumer's experience when they're making these requests? And if they thought they made the request and they come back on another browser and they have an account with you, I think they're gonna have some questions. It's persistent, but GDPR is where we really first learned about cookie banners, and the structure of those still just is really hard to evolve for a lot of companies from a mindset on what US privacy laws require. And US privacy laws are not limited to cookies. And so when you're only talking about cookies or your solutions are really only focused about cookies, it's incomplete. And I think more and more, we're seeing just, a lack of patience with accept. **Colleen:** That brings me to the second thing I wanted to touch on with you, which is consumer inquiries that fall outside of the perfect banner opt out or DSAR web form. There's other avenues. Right? Can you share what you've been seeing lately when it comes to those creative ways consumers get in touch? **Alysa:** I started out as a consumer protection and advertising lawyer, and it is common sense that you need to have a good ear to your consumer complaint volume and what they're complaining about. Because if they're complaining to you, they're complaining to regulators. So there's always an importance of being able to filter and look through and have some sense. And by the way, we've heard from regulators, they've said, monitor your privacy inbox. Make sure somebody's looking at that email. That inbox is not like a nice, neat inbox of just consumer privacy complaints. And so I will just recognize the burden that a lot of companies have because you get a lot of spam. And then I think the latest thing that I've seen is ChatGPT authored legal briefs that are privacy complaints that throw in a whole lot of things, and they look like a lawyer wrote them. And then you start reading them, and there's made up cases and made up rights and made up all sorts of things. And at the core of it, it's it's probably a consumer who really didn't have a good experience, and they're not a lawyer. They don't know how to write a complaint. They wanna get somebody's attention. So I will just say whoever is monitoring your inbox, be prepared to see a lot of things and be able to know how to respond and prioritize and also just what how to evaluate a lot of what those messaging just attempts are and still understand there's a consumer probably behind that that has an issue. **Colleen:** The more we can put ourselves in the consumer shoes, right, to try to experience it and create a more seamless process, the better. We talk a lot about the front of the house here, right, that consumer experience. But when it comes to getting subpoenaed or receiving a demand letter, there's questions that privacy professionals and their teams are gonna be asked that run the gamut from how you're collecting data at the front end all the way through where is it going on the back end. What are you seeing lately when it comes to what we're hearing from regulators? What's going on under the hood and how companies are handling that? **Alysa:** They are asking what's under the hood. When you're answering very specific questions to a regulator, obviously, the statements have to be truthful. But in order to answer it fully and accurately, you really need to know the under the hood practices. And particularly, you're you're saying, here is our deletion practices. Here are the steps we take. Here is how we know that we have addressed all of the relevant information. You really need to know your environment. So companies are evolving. There's nothing static about it. And so it is a cat and mouse of you wanna be truthful, you wanna respond within a pretty compressed period of time usually, but you also need to know your business practices. And so that's where you lean in on what's the diligence we've already relied on to understand our environments. Data maps can be really helpful for that as they get into those specific questions. I think always having at least a periodically refreshed sense of your environments and what data, how it's being used, making sure it maps to your DSAR request in an appropriate way. **Colleen:** When I think from a a privacy tech perspective, data map is certainly where my mind first goes as a reasonable undertaking to have a better sense of that under the hood landscape of your data. But for many privacy professionals we talk to, a data map implementation project is a big undertaking. It involves a lot of stakeholders. So I wonder if it's challenging as a privacy approach to know when it makes sense to employ tech versus you can get away with kind of a static what do you think? **Alysa:** So it's a really good question. I think there's just the practical reality of who's buying the tech, who's initiating, and, if it is the lawyer, the lawyer does not have the budget for doing something that affects the entire enterprise. And a company's environments can be really complicated, and you really need buy in by a lot of business stakeholders that just may not know the urgency or may not have budget for that. And so I think there's a lot of homework that has to happen before any company really has the appetite and the resources to devote to that because it is it's pretty time intensive. There's a lot of benefits from that. They need to know that they're ready. And my sense is, like, the more headlines we're seeing on enforcements, it is raising awareness. The hard questions, I think, are being asked. I think more businesses are going to be sensitive to privacy issues, but we're on a very moving trajectory. **Colleen:** Well, wonderful talking with you as always, Alisa. Folks, if you wanna hear more in any of these topics, let us know in the comments. We're happy to expand next time, and I'll see you soon.