Ford Motor Company was fined $375,703 by California's Privacy Protection Agency for requiring email verification before processing opt-out requests. Under the CCPA, opt-out requests cannot have verification barriers that exceed what is required for opt-in. This same misconfiguration exists as a default setting in many consent management platforms. The total CCPA fines for 2026 now exceed $4.1 million, with CalPrivacy systematically targeting industries including connected vehicles, streaming services, and ticketing platforms.
Ford Motor Company just got fined $375,703 by California's Privacy Protection Agency for a single, specific violation: requiring consumers to verify their email address before processing an opt-out request.
Not a data breach. Not selling data to bad actors. Just adding one extra step to their opt-out flow. That step cost Ford nearly $400K and forced a complete overhaul of their privacy practices.
Here is why this matters far beyond the automotive industry: the exact same misconfiguration exists as a default setting in many widely deployed consent management platforms right now.
What Ford did wrong
Between July 2023 and March 2024, Ford's digital properties and connected vehicle services required consumers to verify their email address before the company would process requests to opt out of the sale or sharing of personal information. If a consumer did not complete the email verification step, Ford simply did not process the opt-out.
On paper, this seems reasonable. You verify email for account creation, password resets, and newsletter signups. Why not for privacy requests?
Because the CCPA explicitly says you cannot.
The legal distinction that trips everyone up
Under the CCPA, businesses are allowed to verify identity for requests to delete, know, or correct personal information. These requests involve retrieving or destroying specific records tied to a specific person, so there is a legitimate reason to confirm who is asking.
Opt-out requests are fundamentally different. They are "prospective instructions to stop a practice." They do not require the business to locate or act on historical records. The consumer is simply saying "stop selling my data going forward."
The rule CalPrivacy applied: businesses may not require verification for opt-out requests to a greater degree than is required for opt-in processes. If signing up for targeted advertising does not require email verification, opting out of it cannot either. This is called operational parity, and it is now being actively enforced.
Why this is bigger than Ford
Here is the part that should concern every business running a website with a consent management platform:
Email verification before opt-out processing is not an edge case. It is a default configuration in many widely deployed CMPs and privacy rights management tools. Many businesses have unknowingly inherited this violation through off-the-shelf products that treat all consumer rights requests as verifiable.
That means if you implemented a CMP, plugged in the default settings, and moved on, your opt-out flow might be doing exactly what Ford got fined for.
CalPrivacy's connected vehicle sweep
Ford's fine did not come out of nowhere. It is the second enforcement action from CalPrivacy's ongoing investigative sweep of connected vehicle manufacturers, following a similar action against American Honda Motor Co. in 2025.
Connected vehicles are a particularly rich target for privacy enforcement because modern cars collect enormous amounts of data: location, driving patterns, voice commands, entertainment preferences, and passenger behavior. That data flows through complex ecosystems of OEMs, dealerships, third-party service providers, and ad-tech partners.
But the principle CalPrivacy is enforcing is not vehicle-specific. The email verification violation applies to any business operating under the CCPA: retailers, publishers, streaming platforms, financial services firms, health care companies, and SaaS providers.
The remediation requirements
Ford's settlement requires more than writing a check. The company must now:
- Implement easy opt-out methods with minimal steps and no verification barriers
- Conduct a full audit of all tracking technologies across its digital properties
- Ensure GPC (Global Privacy Control) compliance so browser-level opt-out signals are honored automatically
- Report to CalPrivacy on its compliance progress
That tracking technology audit is particularly significant. It is not enough to fix the opt-out form. CalPrivacy wants to know that when an opt-out is processed, it actually stops all the tracking, data sharing, and ad-tech integrations downstream.
The opt-out compliance checklist for 2026
Based on the Ford settlement and the broader 2026 enforcement wave (Disney's $2.75M, PlayOn's $1.1M, and now Ford's $375K), here is what regulators are looking for:
1. No verification barriers for opt-out
If a user clicks "opt out," that should be processed immediately. No email verification. No multi-step confirmation flows. No requiring account creation.
2. GPC signals honored automatically
If a browser sends a Global Privacy Control signal, your site must detect it and suppress all data selling and sharing before any scripts fire. This is non-negotiable in California, Colorado, Connecticut, and a growing list of states.
3. Opt-out applies across all services
If you operate multiple properties or products connected to a user account, an opt-out on one must propagate to all. Disney learned this the hard way. Their opt-out on Disney+ did not carry over to Hulu or ESPN+, resulting in a $2.75 million fine.
4. Operational parity between opt-in and opt-out
If opting into tracking takes one click, opting out cannot take five. The friction must be equivalent in both directions.
5. Audit your CMP's default settings
Do not assume your consent management platform is configured correctly. Review every setting related to opt-out processing, verification requirements, and signal handling. If your vendor's defaults include email verification for opt-out, change them now.
6. Log every consent interaction
When enforcement arrives, you need documentation. What signal was received? When? What action was taken? Consent audit logs are your defense.
How AutoCMP handles Do Not Sell
We built AutoCMP's opt-out flow specifically to avoid the violations described above. Here is how it works.
One-click "Do Not Sell" link
When you enable the Do Not Sell option in your banner settings, AutoCMP adds a "Do Not Sell or Share My Personal Information" link directly to your consent banner. Clicking it immediately denies sale and sharing categories (marketing, advertising, social media) while preserving analytics and functional consent. No email verification. No multi-step flow. No account required.
You can also embed a Do Not Sell link anywhere on your site with a single HTML attribute:
<a href="#" data-cmp-dns>Do Not Sell or Share My Personal Information</a>
The SDK automatically binds it. When a visitor clicks, opt-out is processed instantly and the link updates to confirm.
GPC signal detection
AutoCMP detects the Global Privacy Control browser signal on every page load. When GPC is detected and honored (the default setting), all sale and sharing categories are denied automatically before any tags fire. No banner is shown. The visitor's browser already told you their preference.
Consent records that distinguish how opt-out happened
Every consent interaction is logged with exactly how it occurred. AutoCMP tracks the method of each consent record separately:
- "Do Not Sell" — the visitor clicked the Do Not Sell link
- "GPC" — the visitor's browser sent a Global Privacy Control signal
- "Banner" — the visitor used the standard consent banner
The GPC signal state is also recorded independently on every consent record, so you can see cases where a visitor clicked Do Not Sell and also had GPC enabled. This level of detail matters when a regulator asks how a specific opt-out was processed.
Cross-domain propagation
When you use AutoCMP's identity linking, an opt-out on one domain automatically carries over to every other domain under the same organization. This is the exact issue that cost Disney $2.75 million when opt-outs on Disney+ did not propagate to Hulu or ESPN+.
The enforcement pattern is clear
CalPrivacy is working through entire industries systematically. Connected vehicles are the current focus, but streaming services, ticketing platforms, and automotive are all in scope. Every sector is on notice.
The total CCPA fines for just the first 10 weeks of 2026 now exceed $4.1 million. And each settlement comes with increasingly specific remediation requirements that set new compliance baselines for everyone.
The message from regulators is consistent: privacy compliance is not about having a policy or installing a tool. It is about whether your systems actually work, in practice, at every touchpoint, across every service.