Ford fined for “unnecessary friction” in opt-out

We often discuss privacy enforcement in the context of data breaches. But more and more cases show something else: regulators are also targeting “friction by design”, where exercising privacy rights becomes unnecessarily difficult.

A recent example is Cal Privacy decision involving Ford Motor Company. Ford agreed to change its practices and pay a $375,703 fine after CalPrivacy found that Ford added unnecessary friction to the optout process under the CCPA.

Link

Photo: Freepik

According to CalPrivacy’s decision, Ford required consumers to verify their identity (via email verification) before they could opt out of the sale and sharing of personal information collected through Ford’s digital properties and connected vehicle services.

The problem was not just “extra steps.” The decision highlights that Ford did not process opt-out requests unless consumers completed the email verification step, which effectively creates a barrier to exercising the right to opt out.

CalPrivacy’s message: “Opting out is supposed to be easy.”

The agency compares opt-out friction to checkout friction: if you add unnecessary steps, fewer people complete the action.

The settlement requires Ford to:

➡️ provide easy opt-out methods with minimal steps, and

➡️ conduct an audit of tracking technologies on its website, ensuring compliance with opt-out preference signals, including GPC.

CalPrivacy also notes this enforcement came from its broader review of privacy practices in the connected vehicle ecosystem, similar to earlier enforcement activity in that sector.

This case is interesting because it reflects what happens very often in corporate practice: opt-out and exercising privacy rights can face many difficulties, sometimes multiplied by companies to keep monetizing personal data.

In Ford’s specific case, the added verification may not be the most controversial example. In my view, additional verification can sometimes be justified as a security practice to correctly identify the requester.

However, there is a clear line that should not be crossed: practices that create excessive friction, such as special portals, hidden tabs, and unnecessary multi-step verification, should be publicly criticized and actively addressed by supervisory authorities.

Privacy rights are increasingly enforced at the UX and technical implementation level, not just in legal text.

Author: Sebastian Burgemejster