The California Privacy Protection Agency (CPPA) flexed its CCPA enforcement muscles in March 2025 when it entered into a stipulated settlement (Order) with Torrance, CA-based American Honda Motor Co. (Honda). The CPPA’s inaugural enforcement action, which required the automobile distributor to pay a $632,500 fine, signals the agency’s stance on CCPA compliance – one that balances a strict reading of the statute with, perhaps, a more practical focus on readily provable violations.

This article, with insights from Kelley Drye & Warren, Manatt and ZwillGen, examines the Order and its implications, evaluates the CPPA’s enforcement approach and offers practical compliance lessons for companies.

See “Outgoing CPPA Board Member Discusses Rulemaking and Looming Privacy Issues” (Sep. 25, 2024).

Insights on the Alleged Violations

The Honda settlement stems from a review of data privacy practices used by connective vehicle manufacturers announced by the CPPA in July 2023. Connected vehicles are computerized and embedded with features such as location sharing, web-based entertainment, integrations with smartphones and cameras. Such vehicles are “able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” said Ashkan Soltani, CPPA’s Executive Director at the time the review was announced.

Honda is the North American subsidiary of Honda Motor Co., Ltd, which is incorporated in Japan. Honda distributes, markets, and sells Honda and Acura-brand automobiles as well as motorcycles and scooters. It supplies vehicles to more than 160 Honda and Acura dealerships in California. Honda’s annual gross revenue exceeded $25 million in 2023 and 2024, according to the Order, which was adopted by the CPPA Board on March 7, 2025. Honda also annually sells or shares the personal information of 100,000 or more California consumers or households.

As set forth in the CPPA’s press release (Release), Honda violated the privacy rights of Californians by:

• requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt out of sale or sharing and the right to limit;
• using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
• making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights; and
• sharing consumers’ personal information with adtech companies without producing contracts that contain the necessary terms to protect privacy.

A Cumbersome Opt-Out Process

The method that consumers had to use to opt out of the sale or sharing of their personal information required them “to provide more information than necessary to exercise their CCPA rights to opt-out,” according to the Order, which provides:

Honda’s “Submit a Privacy Request” link takes Consumers to a webform titled “Consumer Privacy Rights Request Form” that requires the same information for five different requests: (1) Do Not Sell of [sic] Share My Personal Information, (2) Limit Use of My Sensitive Personal Information, (3) Opt-Out of Automated Decision Making and Profiling, (4) Personal Information Disclosure, and (5) Delete My Personal Information.

To submit a request, consumers were required to “provide their first name, last name, address, city, state, zip code, preferred method to receive updates, email, and phone number to submit the request.” Honda’s form also offered consumers the option of providing the brand of the product they own and its vehicle identification number or serial number.

“The CPPA made the creative argument that by requiring submission of unnecessary data fields, Honda was in effect requiring ‘verification’ of an opt-out request, which – unlike other state privacy laws – the CCPA does not permit,” Ken Dreifach, a shareholder at ZwillGen, told the Cybersecurity Law Report.

The agency’s focus on Honda’s opt-out process “underscores that regulators see California’s ‘opt-out’ rights as perhaps preeminent among all of the rights granted under the CPPA – the caveat being that we are only in the first inning of enforcement actions, and we are likely to see California regulators enforce an even wider set of consumer privacy rights over time,” Dreifach said.

Covered entities are thus confronted with something of a compliance dilemma. “On the one hand, they must collect enough data elements to ensure they can identify a consumer in a unique way (given that consumers’ addresses and even names change over time and/or are shared), but on the other hand they must not require so much information that a regulator might deem it overkill,” observed Dreifach. Achieving that balance is “an exercise in database analysis as much as in legal analysis – determining what combination of submitted identifiers aligns with the data library a company has on hand,” he added.

See “Privacy Settings May Serve As One-Step CCPA Opt-Out From Sale” (Jun. 17, 2020).

An Unacceptable Asymmetry

The CPPA also found fault with Honda’s approach to cookie management. The company contracted with third-party compliance vendor OneTrust to provide a cookie management tool for its websites. The problem was that it was harder to opt out of advertising cookies than it was to opt in to them.

“The CPPA faulted Honda for requiring two clicks to opt out of sale but only one click to opt back in,” Aaron Burstein, a partner at Kelley Drye & Warren, told the Cybersecurity Law Report. The agency “made it clear that it views this asymmetry as unacceptable,” he noted, adding that under the CCPA, companies must ensure that consumers can exercise their opt-out rights with minimal steps, and “any changes to opt-out and opt-in processes need to comply with this requirement, too.” The need for caution around use of off-the-shelf tools is discussed below.

A Failure in Managing Authorized Agent Requests

The CPPA also disapproved of Honda’s approach to opt-out requests submitted by authorized agents. “Businesses may ask the Consumer’s Authorized Agent to provide the Consumer’s signed permission demonstrating that they have been authorized to act on the Consumer’s behalf,” the agency notes in its Order. Businesses may not, however, require consumers “to directly confirm that they have provided the Authorized Agent permission to submit the request.”

Missing Contracts With Advertising Tech Vendors

Honda also ran afoul of CCPA requirements by failing to produce contracts with adtech companies to which it sells, shares or discloses personal information about consumers, the Order provides.

See “Back to the Table: CCPA Regulations Spark New Wave of Service-Provider Negotiations” (Jul. 15, 2020).

Considerations That Impacted the Fine Amount

Despite the general accessibility of Honda’s consumer request tools, the CPPA still pursued a significant $632,500 penalty. “It is a particularly heavy fine when one notes that Honda not only presumably cooperated in the investigation, but also appeared to have set up its consumer request tools in a way that was diligent and accessible, if imperfect,” opined Dreifach. It appears the company did not “obscure the process or intentionally burden the consumer in any way.”

The CPPA framed the fine as a necessary response to the apparent violations. “The remedy should fit the problem behavior,” argued Michael Macko, the head of the CPPA’s Enforcement Division, in the Release. The CPPA will not “hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations,” he said.

The amount Honda was fined demonstrates “that the CPPA was willing to assess the maximum penalties authorized outside of CCPA violations that are intentional or involve children under the age of sixteen,” Brandon Reilly, a partner at Manatt, told the Cybersecurity Law Report. He pointed out that the agency assessed $632,500 total, but specified that $382,500 of that amount accounts for violations impacting 153 California residents.

“If you divide $382,500 by 153, you get $2,500, which is also the statutory maximum under the CCPA for non-intentional violations not involving children, pursuant to California Civil Code section 1798.155(a),” Reilly explained. One factor slightly more favorable to Honda is that “the agency appears not to be assessing multiple violations against one consumer – for example, if the same consumer requested opt-outs multiple times,” he said.

The absence of any consumer restitution, and the fact that the $632,500 fine goes solely to the CPPA, may be unsettling to some given that the alleged harm here was experienced by individual consumers. “In any given case involving civil penalties, my hope is that the agency will start with an assessment of consumer harm to set an appropriate fine,” Burstein said.

In addition to paying the fine, Honda is also obligated to revise its methods for opting out of the sale or sharing of personal information, the process for authorized agents submitting CCPA requests and its cookie management platform.

Pursuant to the Order, Honda must consult with a user experience (UX) designer to evaluate its methods for submitting CCPA requests. The company also must modify its contract management and tracking process.

A Youthful Agency Takes a Mature Approach

The California Privacy Rights Act, which amended the CCPA, established the CPPA as the enforcer for the law. Previously, the California AG pursued CCPA enforcement.

See “A Roadmap to the Final Regulations Under the CPRA” (Mar. 15, 2023).

Focus on Consumer Requests

“The CPPA’s settlement with Honda, and the nature of its allegations, demonstrate that the CPPA is quite serious about ensuring that consumers’ statutory information requests are respected – particularly regarding the sale of personal information and use of information for behavioral targeting,” observed Dreifach. Additionally, he continued, the CPPA appears to be looking at both form and substance – not simply that companies grant the required rights, but also that the methods are ‘symmetrical’ compared to any consent process – and, in practical terms, reasonable, clear and accessible.”

See “What to Expect From the CPRA – California’s New Proposed Privacy Law” (Sep. 30, 2020).

Going Beyond the Surface

The agency’s settlement with Honda may suggest that it and the AG place an emphasis on operational details that extend beyond surface-level compliance. “The enforcement actions we’ve seen so far indicate that both agencies are digging into the details of how companies comply with the CCPA,” said Burstein.

“While the Attorney General’s first enforcement action, which was against Sephora, focused on opt-out rights, the CPPA’s action against Honda shows that the agency is paying close attention to the finer details of privacy rights under the CCPA and will take a very close look to determine whether opt-out, access, deletion and other rights are working from consumers’ perspectives,” noted Burstein.

Setting Up for Investigation and Enforcement Scalability

The Honda matter “can be seen as demonstrating a roadmap for the CPPA to scale its investigative and enforcement powers by prioritizing readily apparent findings that are relatively easy to prove,” Reilly said.

One area of focus is user interface design, especially as it relates to opting out. “User interfaces that involve an asymmetry in consumer choice are also easy for the agency to investigate and prove up,” Reilly said. Because these interfaces appear on public-facing websites and apps, the CCPA can pursue violations based on simple metrics such as the number of clicks required to opt out versus those needed to opt in. “This allows the CPPA to avoid more arguable violations centered on choice of language or website formatting: a click is a click, and a regulated business may have an issue if more clicks are required for a more privacy-protective outcome,” he explained.

Applicability Across Industries

Although the CPPA’s pursuit of Honda stems from an industry-specific inquiry, that action, as well as the “California Attorney General’s Sephora action both were carefully crafted to reveal findings that could be applied across industries and use cases,” said Reilly.

The Sephora action “was not specific to the cosmetics industry; it was relevant to any regulated business that was using third-party tracking technologies on its website,” Reilly explained. Similarly, he maintained, “the Honda action is not specific to the automotive industry – perhaps a surprise given privacy enforcers’ recent fixation on connected vehicles and telematics – but is relevant to anyone deploying consent management tools and contracting with third-party providers.”

See “Lessons From California’s First CCPA Enforcement Action” (Sep. 28, 2022).

Compliance Steps to Manage Evolving Responsibilities

The CPPA’s scrutiny of data minimization and verification standards in the Honda matter should inform organizations’ CCPA compliance strategies moving forward.

Review and Customize Off-the-Shelf Tools

Companies should use caution in relying on off-the-shelf tools that may, in the end, create a compliance risk. “Many companies make the common mistake of relying on ‘out of the box’ templates and disclosures,” observed Dreifach. Although third-party vendors provide very helpful tools, he cautioned that “they are not one-size-fits-all – neither created for all state privacy models, nor for all companies.”

Not surprisingly, “companies differ widely in how much data they collect, and how they and their vendors use that data – including cookies and digital IDs – for a range of targeted ads and analytics,” Dreifach added.

“The defaults that are set by a vendor on a consent management tool might not be suited for a particular company,” Burstein agreed. Thus, he advised, “it is critical to look at how choices are described, whether it is easy for consumers to make choices, and how choices are put into effect.”

With the differences in companies’ needs and the necessary review of choices, legal oversight becomes that much more vital. “It is important for an attorney familiar with these data models and state privacy laws to review and customize the tools and language presented – often after receiving input from a company’s marketing, web development and, if applicable, data usage or licensing teams,” Dreifach advised.

Even “minor language and operational tweaks can make a big difference,” Dreifach continued. For instance, he posited, “had Honda made its multi-variable ‘opt out’ web input forms optional rather than mandatory, it may not have attracted the ire of California regulators.”

Establish a Privacy Program That Incorporates Evaluation

“Companies should recognize that, while perfect compliance with the CCPA probably isn’t realistic, regulators’ expectations are increasing,” said Burstein. “What was good enough in 2021 might not pass muster now,” he cautioned, stressing that companies should establish “a program that enables them to identify weak points, prioritize fixes, and follow through on them.”

Practice Good Contract Hygiene With Third Parties

The Honda settlement also serves as a reminder to practice good contractual hygiene with third-party vendors. “The existence or absence of CCPA-required contract protections is easy for the agency to investigate and prove up,” Reilly said. “The CPPA’s implementing regulations require written contracts for most data sharing transactions that are subject to the CCPA, including specific language that must be added depending on the parties’ relationships to each other,” he noted. “On the enforcement side, this provides an easily discernible area for investigation because a regulated business either has executed such a contract or it hasn’t,” Reilly continued.

Honda’s lack of contracts with adtech vendors might serve as a warning bell for other businesses using similar vendors. “Adtech contracts must go through the same third-party vendor management protocols as others,” Reilly noted. “If an adtech buyer is presented with a take-it-or-leave-it set of terms that does not include the requisite privacy provisions, they should be renegotiated or else seen as an accepted risk,” he advised.

It remains unclear “whether the CCPA literally requires each publisher to have a direct agreement with each third party – even those that may be multiple leaps downstream – or whether the ‘daisy chain’ nature of adtech data sharing and ‘syncing’ means that each party need only contract with those with whom it directly transacts,” observed Dreifach. “The former is logistically very difficult: if that is indeed the CPPA’s objective (a question left open by the Honda Order), efforts towards some type of single universal agreement will need to redouble,” he said. It is possible that efforts by the Interactive Advertising Bureau to establish a single agreement between adtech vendors could gain new steam.

See “IAB Unveils Multistate Contract to Satisfy 2023 Laws’ Curbs on Targeted Ads” (Feb. 22, 2023).

Consider Adapting UX Design

Considering the Honda enforcement action, companies might also adapt their privacy request workflows and UX design in light of the CPPA’s emphasis in the settlement on user-friendly interfaces. “There is often a tension between making disclosures consumer friendly and making them complete and accurate,” Burstein observed. “Opt-out rights descriptions that hit both of those marks are challenging,” he acknowledged, suggesting that different experts from legal, privacy operations and product teams might need to be involved.

Customizing a user interface “as it relates to privacy rights and consent management” is important, Reilly emphasized. “Out-of-the-box” solutions offered by consent management providers “should be closely scrutinized by privacy professionals to determine whether they might unintentionally create a dark pattern,” he advised.

In addition to takeaways from the Honda action, Reilly continued, “it is also important for regulated businesses to familiarize themselves with the CPPA’s regulations on symmetry of choice.” He also recommends that companies review New York AG Letitia James’ guide on online privacy controls.

 

State privacy enforcement is maturing beyond the policing of privacy notices. A new Connecticut enforcement report (Report) issued on April 17, 2025, details the Office of the Attorney General’s (OAG) effort to enforce data-management provisions deeper in the state’s statute. “As part of the next wave of our enforcement efforts, we have expanded our focus to include not just privacy notices but also cookie banners,” the Report says. The OAG states that it is looking to “focus on the entire data flow” of personal information and warns companies about hindering consumers’ ability to exercise their opt-out rights over targeted advertising.

“We are moving into a phase, particularly with those states with laws that have been on the books for several years now, [where there is] more of a nuanced compliance analysis” by enforcers, Orrick partner Nick Farnsworth told the Cybersecurity Law Report.

The Report also provides a snapshot of harmonization efforts by enforcers in seven of the states with comprehensive privacy laws, who announced a coalition one day before the Report’s release. The OAG proposes adopting several of other states’ most consumer-protective measures, including creating a new universal deletion mechanism to address third parties holding personal data. On April 28, 2025, legislators advanced a bill containing almost all the OAG’s requested amendments toward a full state senate vote.

This article analyzes key implications of the report for state-level privacy enforcement, with comments from privacy leaders in Connecticut’s and Oregon’s AG offices and insights from experts at Cooley, Holland & Knight, Manatt and Orrick.

See “California’s Delete Act Enforcement Sweep Takeaways” (Apr. 2, 2025).

Voluntary Report and Enforcement Letters

The Connecticut Data Privacy Act (CTDPA or Act) only required the OAG to issue one enforcement report, which it delivered in February 2024. “We received initial feedback that the first report helped people,” Connecticut deputy associate AG Michele Lucan told the Cybersecurity Law Report. This second report was voluntary and is meant to give companies guidance and further help, she said, adding that companies should consider addressing the Report’s concerns in their practices.

More than reports or guidance, fines help privacy lawyers to persuade corporate decision-makers to fund privacy program improvements. The CPPA’s March 7, 2025, settlement with Honda over privacy compliance shortcomings for a $632,500 penalty has drawn C‑suite attention, lawyers say. Outside of Texas and California, however, AGs have not demonstrated the power of penalties under their laws.

State enforcers are aware of the critique that they have been too restrained to influence businesses, Lucan said. “It’s not the case that we’re being quiet. There is a ton of enforcement happening behind the scenes,” she countered. Companies should heed the compliance message to avoid facing something worse than receiving an AG’s letter of noncompliance. The investigative letter stage “is still enforcement, not litigation,” she stressed.

See “Navigating Government Investigations of Privacy Practices” (Sep. 4, 2024).

Warning About Delayed Breach Notifications

The OAG said it received 1,900 breach notices in 2024, a rise from 1,500 in 2022. The Report details a “troubling trend of timelines stretching out many months” before companies contacted the OAG.

OAG Starts Clock With “Suspicious Activity”

The OAG “has issued dozens of warning letters regarding notice delays. In these letters, we continue to stress that we view the statutory notice period to run from the date that a company becomes aware of suspicious activity, not the date it determines the full impact to personal information,” the Report emphasizes.

When they complain about delays, enforcers are not acknowledging multiple practical issues that companies face, several breach responders told the Cybersecurity Law Report.

Starting the clock with a “suspicious activity” alert is a low bar, said Cooley partner Kristen Mathews. “It can take a lot of time for a company to investigate and convert suspicious activity into real knowledge that is worth telling anyone about. All that time would eat into the 60‑day period for notification,” she noted.

Even if a breach appears to be real, “often the company can see only that an intruder was in the system, but not what [the actor] did,” Marmor agreed.

Over the past couple years, “breaches have become more complicated, and the investigations sometimes require a [more complex] level of forensics than in the past” to confirm whether a breach happened, Farnsworth noted.

See “Navigating the Interplay of Breach Response and Breach Notification” (Oct. 26, 2022).

OAG Urges Companies to Report Before Identifying the Affected Individuals

Companies also dislike the OAG’s expectation that they should report breaches regardless of whether they have determined whose personal information was taken. A company may only have IP addresses, so often it must track down individuals’ locations and contact information, noted Manatt partner Paul Luehr. “I’ve had breaches where it took two weeks to figure out what happened. Getting the addresses took three months,” he said.

Until now, many companies have waited to notify until they have better determined the extent of the data affected. “The reality is that timing is always subjective, and there’s enough wiggle room in the laws to wait,” said Marmor. Also, “with so many breaches happening, I wouldn’t be surprised if certain companies didn’t feel a huge risk” in waiting until they know more, she suggested.

Enforcers’ patience appears to be running thin on this issue. Oregon Senior Assistant AG Kristen Hilton told the Cybersecurity Law Report that her office, like Connecticut’s, finds many companies improperly delaying their notifications. “If they don’t have the contact information yet, they should make a substitute notification within 30 days, which is part of Oregon’s breach law” and the laws in most other states, she warned.

See our two-part series on a mock cyber incident tabletop exercise: “Day One, Everything at Once” (Jun. 19, 2024), and “Day Two and Beyond” (Jun. 26, 2024).

Criticism of Vague Notifications

The OAG also said it has seen a trend of insufficient and vaguely worded consumer notifications.

AGs and companies differ in their views on what to tell customers. “A lot of times the AG thinks that a high level of detail is valuable to consumers. Companies that know their consumers well often feel differently,” believing that customers do not want details on the hack and its impacts, Marmor observed. “With a breach, once the information is out there, really, what a consumer most wants to know is what was the data and what resources [are available] to help [them] protect from its misuse,” she noted.

See “Connecticut AG’s Report Highlights Enforcement Risks and Points to Action Steps for Companies” (Mar. 13, 2024).

Shortcomings on Privacy Notices

The OAG said it encountered many “glaring facial deficiencies” in privacy policies. “I was not at all surprised to see the OAG say that it felt that people were missing the mark on privacy notices. We definitely see a lot of mistakes when we survey the field,” Marmor said.

Cursory Updates and Missed Elements

The OAG found policies that were not updated since the original version of the CCPA, displaying out-of-date details. Another common problem is superficial updates, Marmor reported. “Many companies understand that these laws are out there and write the different states into their privacy policy but clearly have not really dug in on the nuanced requirements,” she explained.

For example, Marmor continued, some companies fail to satisfy longstanding California obligations to specify the categories of PI collected, the data sources, the reasons for collecting and so on. “Pretty clearly California wants to see a chart, but a lot of people miss the chart,” she noted. Many companies also do not account for various states’ opt-outs for targeted advertising.

Even diligent updaters can miss a detail with all the state laws, Farnsworth pointed out. “We are starting to see companies try to shift their privacy notice practices towards a more United States approach, rather than state by state. That requires a level of nuance to find the high-water mark across all those laws, and we do see companies that will miss that high-water mark in one aspect or another,” he explained.

Conflicting Statements on Targeted Advertising and Sale of Data

The Report notes that the OAG sent notices to companies to remove “conflicting language in privacy notices (i.e., where a company stated they did not process data for sale whereas other disclosures indicated that such sales were occurring).”

Regulators’ concerns about inconsistency come up most often with notices about third-party ad trackers, Farnsworth noted. Some AGs believe companies’ use of cookies and trackers requires both “targeted advertising” opt-outs and an opt-out from sale of personal information, “to the extent third parties can use that data for their own purposes,” he elaborated.

“It’s not always intuitive to companies that the use of third-party technologies for targeted advertising purposes automatically would qualify as a sale” in instances where they have offered an opt-out for that targeted advertising, Farnsworth observed.

See “Practical Insights Direct From U.S. State Privacy Enforcers” (Apr. 10, 2024).

Dark Patterns With Cookie Banners

The Report highlights cookie controls, despite the laws in Connecticut and other states not requiring them. The OAG in autumn 2024 sent a sweep of notices about “cookie banners that undermine or even override consumers’ ability to make important privacy choices, including the right to opt out of targeted advertising or the sale of their personal data through the use of tracking technologies,” the Report notes. Now, the Report adds, the OAG has identified additional companies for a second sweep.

The compliance issue is with dark patterns. It arises because “more companies in the United States are adding cookie banners to try to address the pressures being put on them by plaintiffs’ counsel around potential wiretap claims,” Farnsworth noted. Because the laws do not address cookie banners seeking an opt-in and companies’ motivation is avoiding litigation risk, “they aren’t recognizing that there is a regulatory scrutiny. Regulators are looking at the design of cookie banners as to whether they use dark patterns,” he explained.

The AGs are reviewing whether the cookie banners ensure a symmetry of choice, Farnsworth continued. California and New York AGs both issued guidance about this. Regulators are checking whether the website “is making it easier for someone to opt in than to opt out,” he elaborated.

Companies should consider first designing a cookie banner that addresses notice and consent for any trackers and data collection vulnerable to a wiretap claim, then do a dark pattern check by consulting the AGs’ guidance on deceptive designs, Farnsworth recommended.

AGs may find another problem with cookie banners if any sensitive data is collected using them. The supplied notice to consumers through a banner may not suffice to satisfy state privacy laws requiring affirmative express consent definitions.

See “How Companies Can Identify and Prevent Unlawful Dark Patterns” (Jan. 10, 2024).

Will Law Updates Follow Maturing Privacy Enforcement?

The arrival of questions about opt-out mechanisms and dark patterns parallels another evolution. In the first couple years of new state privacy law enforcement, regulators sent companies requests for information and informative letters, reflecting acceptance that “businesses were building towards compliance,” Farnsworth said.

Now, regulators are sending companies stronger letters of noncompliance that ask more questions, Farnsworth continued. Newer conversations may include a message that “these requirements have been on the books for quite some time and we would have expected that your compliance measures would be in place,” he added.

Connecticut’s Report demonstrates enforcers’ efforts to fine-tune their state laws based on their own and others’ enforcement experiences. The announced AG privacy coalition is nonexclusive, but the states involved share findings and other information, enforcers from Oregon, Connecticut, California and Colorado said during panels at the IAPP Global Privacy Summit on April 23, 2025. Regulators from Delaware, New Jersey and Indiana also participate, while Texas, which has a privacy enforcement staff of 20, conspicuously was not listed.

A Bill to Update the CTDPA to Match Other States

The Report asks for eight sets of proposed changes to the state’s privacy law and repeatedly cites other states’ standards or the OAG’s own investigations as support. Connecticut legislators on April 28, 2025, voted to forward to the full state senate a bill containing almost all the recommendations.

Sensitive Data, Thresholds and Minors

The Report recommends strengthening Connecticut’s data minimization requirements to match Maryland’s, and to adopt Maryland’s ban on targeted advertising to minors. Legislators should eliminate “wholesale carveouts” for entities covered by HIPAA and the Gramm-Leach-Bliley Act, and for nonprofits, the Report recommends. New provisions also should reduce the customer thresholds to match those in “small states,” such as Delaware and New Hampshire, and greatly reduce the threshold for enhanced protections for minors.

The report requests incorporating into the sensitive data categorization “a comprehensive list of elements added by other states since the CTDPA’s passage” and lists seven examples. It also asks that the CTDPA count any biometric data that could identify a person and use Maryland’s “should have known” standard for minors’ use of websites to trigger protections.

One-Stop Deletion Button

“We urge the [L]egislature to follow Oregon’s lead” and give residents a right to request a list of third parties that receive their personal data, the Report says. “Connecticut residents must have insight into the third parties that gain access to their data so that they can track their data downstream and effectively exercise their rights,” the OAG writes.

The OAG’s investigations revealed that “some controllers do not understand the breadth of third-party data sharing that happens through their online services, and these heightened disclosure requirements would require more responsible data practices,” according to the Report.

However, giving consumers the right to a list does not satisfy many people, Marmor observed, because it “puts a lot of burden on the consumers. Their data may have gone to 30 different companies. And that’s a lot of work for the consumer to go out and unwind” with deletion requests, she said.

The Report recommends that Connecticut residents be the first in the U.S. to get both a list of third parties and a universal deletion button to act on it. “A mechanism that allows Connecticut residents to exercise deletion rights at scale is sorely needed,” the Report says. As the OAG did in the first report, it urges a “one-stop-shop deletion mechanism such as that contained in California’s Delete Act” that would let Connecticut residents to wipe their personal information from data brokers’ files with a single, verified request.

Push to Narrow Exemption on Publicly Available Information

“Regulators are trying to find solutions for how to help people keep their sensitive data out of the broader ecosystem,” Marmor observed. In addition to seeking stronger deletion and universal opt-out mechanisms, they have focused on profiling.

“The publicly available information exemption has been called out by regulators as potentially being too broad and at times undermining some intents of the laws,” Farnsworth noted.

The Connecticut bill excludes the making of profiles and inferences from an exemption for publicly available data. If the bill passes, businesses will not be able to use “(i) information that is collated and combined to create a consumer profile that is made available to a user of a publicly available Internet web site either in exchange for payment or free of charge, (ii) information that is made available for sale, or (iii) inference that is generated from the information.”

Exclusion of a Requisite Universal Opt-Out Setting

The OAG also urges a requirement for all browser vendors and mobile operating systems to offer a universal opt-out setting for consumers to broadcast privacy preferences, but the bill does not include this provision, which has struggled in California’s Legislature so far.

Internal reporting mechanisms enable employees to bring business- and workplace-related issues to the attention of their organizations. Each year, NAVEX, a provider of risk and compliance management software, analyzes the incident reports and inquiries logged by its customers. It studies reporting and substantiation rates, reporting mechanisms, report outcomes, reporting by risk category, anonymous reporting and other metrics, as well as changes in those metrics over time. The NAVEX 2025 Whistleblowing and Incident Management Benchmark Report (Benchmarking Report) indicates that incident reporting remains at a record-high level – and more reports are being substantiated. This article distills those and other key findings from the Benchmarking Report and the insights offered during a related webinar featuring Carrie Penman, chief risk and compliance officer at NAVEX; Jane Norberg, a partner at Arnold & Porter and former Chief of the SEC Office of the Whistleblower; and Anders Olson, senior manager of the NAVEX data science team.

See “NAVEX Shares Benchmarking Data in 2023 State of Risk and Compliance Report” (Jul. 26, 2023).

NAVEX Dataset and Methodology

The dataset that forms the basis for this year’s report includes a record 2.15 million reports (Reports) received in 2024, up from 1.86 million in 2023. The data encompasses a record 4,077 organizations, up from 3,784 in the prior year, noted Olson. Those organizations had about 69 million employees. Retail, healthcare and finance/insurance remain the top three industries represented.

The Reports were made either by hotline (29%), via the web (33%) or by “other” means (37%), a category that includes walk-in reports, emails and letters. Four-fifths of the Reports were from North America.

The six categories covered in the Benchmarking Report are the same as last year:

1. accounting, auditing and financial reporting (accounting);
2. business integrity, which includes bribery and corruption as a subcategory (business integrity);
3. workplace conduct (previously called human resources, diversity and workplace respect);
4. environment, health and safety (EHS);
5. misuse or misappropriation of assets (misappropriation); and
6. other.

As in its other studies, to ensure statistical accuracy, NAVEX only included organizations that received at least 10 Reports in 2024. Additionally, the Benchmarking Report often uses the median data point in a dataset rather than the average data point. Use of medians provides metrics that are comparable regardless of an organization’s size. They are less affected by outliers, which are likely to occur in such a large sample size, explained Olson.

No Change in Reports per 100 Employees

“Report volume remains at record levels for the second year in a row,” noted Penman. There were a median 1.57 Reports per 100 employees, the same as the record level in 2023. However, the middle 50% of the distribution narrowed slightly toward the median, she observed.

Report volume depends on how NAVEX customers use their systems, continued Penman. Some capture only web and hotline Reports. Not surprisingly, organizations that track all three sources – web, hotline and “other” – had a median of 2.21 Reports per 100 employees, versus just 1.04 per 100 for organizations that track only web and hotline. Companies that do not track all three could be missing valuable data points, she added.

The smallest organizations – those with less than 2,500 employees – had by far the highest median volume of Reports. They had 3.11 Reports per 100 employees, roughly in line with last year. At the other end of the spectrum, the largest organizations – those with more than 100,000 employees – had 1.24 Reports per 100 employees, a 10% increase in volume over the prior year.

See “Website Privacy Compliance Statistics and Practical Takeaways” (Jan. 8, 2025).

Web Reporting Overtakes Hotlines

The median reporting value of web Reports was 58%, versus 26% for hotline Reports and 23% for “other” Reports. For the first time, however, the frequency of web reporting (33% of all Reports) was greater than hotline reporting (29%). “Other” Reports remained the most frequent overall (37%). This reflects that employees want a variety of ways to report. Thus, it is advisable to make multiple channels available, according to Penman.

The web remains the most common vehicle for anonymous reporting, with a median of 71%, versus 50% for hotlines and just 2% for “other” Reports. Even though anonymous web Reports are most common, they are also the most likely to be substantiated, according to Penman.

See “DOJ’s 2024 Edits to the ECCP: Speaking Up, Compliance Resources and Lessons Learned” (Dec. 11, 2024).

Inquiries Versus Allegations

Most Reports (92%) were “allegations” of various types of potential misconduct; and the remaining 8% were “inquiries,” roughly in line with last year. The proportion of Reports consisting of inquiries has declined steadily since 2019, when they accounted for 15% of all Reports.

Inquiries can provide valuable insights because they may be the precursors to allegations, said Penman. For example, a person who asks about a company’s conflicts of interest policy may later report the problematic behavior that prompted the inquiry. Tracking inquiries can also help organizations understand where employees need more clarity on compliance matters, added Olson. More than half of the inquiries in the Benchmark Report involved compensation/benefits or conflicts of interest. The next eight most frequent inquiries concerned:

• health and safety;
• data privacy and protection;
• confidential and proprietary information;
• bribery and corruption;
• harassment;
• accounting;
• misappropriation; and
• substance abuse.

A Decrease in Anonymous Reporting

Just over half of all Reports (54%) were made anonymously. That proportion has been declining steadily since 2009, when 65% were anonymous. The median reporting value of anonymous Reports ranged from 50% for accounting and “other” Reports, to 60% for EHS and misappropriation Reports. Workplace conduct Reports are the most likely to be reported anonymously. Thirty-eight percent of bribery and corruption Reports were anonymous.

As in 2023, the overwhelming majority of anonymous Reports were made either via the web (71% median) or hotline (50% median). Generally, larger organizations had somewhat lower median rates of anonymous reporting than smaller organizations.

“The follow-up rate to anonymous reporting remains terribly low,” said Penman. For the past few years, it has hovered at around 26%, down significantly from a high of 36% in 2019. “This is an opportunity to remind employees, as part of your training, that it is okay to report anonymously, but please stay engaged and please check back,” she advised.

Anonymous reports can be challenging to address, because the reporting person might not provide enough information, noted Norberg. Regardless of how much information a company receives in a report, the company should carefully document how it handled the matter. For example, it could document that it received a report, investigated to the extent it could and then hit a dead end because it did not have access to the person who reported.

Workplace Conduct Remains Biggest Risk Area

When viewed by risk category, reporting is relatively consistent year over year, said Penman. Workplace conduct Reports continue to account for about half of all Reports. The five most frequently reported subcategories of workplace conduct Reports were civility, discrimination, health and safety, conflicts of interest, and data privacy and protection, each accounting for between roughly 5% and 8% of total workplace conduct Reports. Nearly half of workplace civility Reports were substantiated, she noted.

During the pandemic year of 2021, there was a median of 8.7% for EHS Reports, which fell to 6.1%. Within that category, “imminent threat to a person, animal or property” increased to a median of 1.53%, the highest in four years – and had a substantiation rate of 90%. It is “unfortunately, a very important risk type and one to take very seriously,” said Penman.

The median reporting value of bribery and corruption Reports was 2.28%. Such Reports accounted for just 0.50% of all Reports, down from a four-year high of 0.69% in 2022. Median accounting Reports have fallen from 5.1% in 2021 to 4.3% in 2024.

Substantiation Rates Rising

NAVEX examined the number of Reports containing allegations that organizations closed after investigation as being either partially or fully substantiated. The overall median substantiation rate hit an all-time high of 46%, up from 36% in 2012.

Over the past four years, the median substantiation rate for each of the six main risk categories has either increased or stayed the same. In 2024, the median rates were:

• EHS – 57%;
• misappropriation – 56%;
• accounting – 50%;
• business integrity – 50%;
• workplace conduct – 40%; and
• other – 33%.

In each category, median substantiation rates were unchanged year over year, with the exception of misappropriation, which rose six percentage points. The two most commonly substantiated Reports included imminent threats to a person, animal or property (90%), and insider trading (80%). Thirty-nine percent of bribery and corruption Reports were substantiated. At the opposite end of the spectrum, just 18% of retaliation Reports were substantiated – the lowest by a wide margin.

The median overall substantiation rate of “named” (i.e., not anonymous) Reports was 50% in both 2023 and 2024, up from 46% in 2021. The median for anonymous Reports was 34%, up from 33% in each of the past three years.

The median substantiation rate for hotline Reports has held steady at 33% over the past four years. The median for web Reports has risen to 40% from 37% in 2021. The median for “other” Reports is 61%, versus 53% in 2021. Companies should ensure they track “other” Reports, which have a high probability of being substantiated, noted Penman.

Case Closure Times Continue to Fall

Median case closure times have fallen from 24 days in 2021 to 21 days in 2024. However, the range of closure times has expanded, meaning that there are some Reports that are taking longer to close, noted Penman. A significant proportion of Reports in each of the six risk categories took more than 100 days to close, ranging from 10.7% of misappropriation cases to 21.7% of accounting cases. Bribery and corruption Reports took a median 92 days to close, by far the longest of any risk type. There was no difference in closure time between anonymous and named Reports, she added.

Additionally, the percentage of Reports that were closed on the same day that they were opened has grown significantly year over year to roughly one-quarter of Reports, versus less than one-fifth last year. It is possible that some are closed because companies have moved them to a different system – not because they have been resolved, noted Penman. When companies do transfer Reports internally, they should continue to track them to ensure they are addressed.

As in 2023, there was a “median of medians” of eight days between incident and Report and a “median of means” of 25 days. The much higher median of means value reflects the significant impact of outliers in the dataset. The median and mean days between incident and Report were highest for accounting Reports (16 and 25 days, respectively) and lowest for EHS Reports (four and eight days, respectively).

Report Outcomes

Navex’s system can trace cases from their initial report through final resolution, which reveals some interesting trends.

Separations Increase, Other Discipline Declines

Although “discipline” remained the most common outcome of substantiated Reports, its frequency has declined in each of the past four years, from 35.7% in 2021 to 30.7% in 2024. Policy change as an outcome also declined during that period, from 10.2% to 7.6%. In contrast, the frequency of separation (termination of employment) has risen during that period from 12.4% to 20.2%. Just over half of substantiated misappropriation Reports resulted in separation, noted Penman.

A significant proportion of substantiated Reports in each of the six risk categories resulted in “no action,” including about one-fifth of business integrity and “other” Reports, and 17% of accounting and EHS Reports. Additionally, the smallest organizations took no action in nearly 42% of substantiated Reports, versus not more than 16% of other organizations.

Rising Retaliation-Related Risk

The median reporting rate for retaliation was 3.08%. It has increased in each of the past four years. However, just 18% of retaliation Reports were substantiated, observed Penman. Moreover, 45% of such substantiated Reports did not result in discipline or termination of employment – and nearly 14% resulted in no action.

These results are surprising because, in most companies, retaliation is a violation of the code of conduct, which usually results in some form of discipline, noted Norberg. Retaliation is “a huge risk” for companies. First, there is risk of litigation. Second, it may cause other employees to distrust the system, making them less likely to report internally – and more likely to report to a government agency. Companies must do thorough investigations of claims of retaliation, even when they come from employees with less than stellar track records.

Third-Party Reports

As it did last year, NAVEX examined Reports filed by individuals outside the subject organization. In 2024, about one-tenth of Reports were filed by third parties, versus 82% by employees and 8% by individuals whose relationship was not known.

The median reporting value for web Reports by third parties was 65%, versus 60% for employees. The medians for hotline and other Reports were 50% and 25%, respectively, versus 33% and 19%, respectively, for employee Reports. Median web reporting by third parties increased modestly over 2023. Reporting via hotline remained flat and “other” reporting fell modestly.

A median 44% of Reports by third parties were anonymous, versus 57% for employee Reports. A median 33% of third-party Reports were substantiated, versus 45% for employee Reports. Both anonymous reporting and substantiation findings were consistent with the 2023 findings. With respect to substantiated Reports, separation was a more common outcome for employee Reports (17.6%) than third-party Reports (9.1%), while “no action” was more common for third-party Reports (17.2%) than employee Reports (10.5%).

Differences Among Organizations

For the first time, NAVEX categorized the organizations in the dataset as either public companies, private companies, government organizations or educational organizations. Public and private companies make up most of the dataset, noted Penman. Government organizations are mostly state and local entities.

Government organizations had a median 2.38 Reports per 100 employees, versus 1.80/100 at private companies, 1.10/100 at public companies and 1.41/100 at educational organizations. Reports to government organizations, private companies and public companies were relatively evenly divided among web, hotline and other media. In contrast, about 60% of Reports to educational organizations were made via the web.

The median substantiation rate at private companies was 50%, versus 43% at public companies and just 39% and 40%, respectively, at educational and government organizations.

Private companies imposed discipline or separation in about 49% of substantiated cases, versus about 55% for public companies and less than one-third for educational or government organizations. On the other hand, private companies took no action in nearly 17% of substantiated Reports, versus roughly one-tenth of each other type of organization.

Risk From Whistleblowers Remains High

Whistleblowers a “Force Multiplier” for SEC

The SEC’s whistleblower program has been a “force multiplier” for the agency since its 2011 inception, Norberg said. As of end of September 2024, it had received more than 93,000 tips from inception, including about 11,000 in fiscal 2024 and 12,000 in 2023.

Critically, as of 2020, 75% of employees who reported to the SEC and received an award had reported internally first, cautioned Norberg. Although it is hard to know precisely what happened, it is likely that someone at those companies knew a problem existed and the company missed the opportunity to investigate, address the issue and possibly self-report.

Additionally, the SEC has brought 39 actions involving whistleblower protections, including five for retaliation against whistleblowers and 34 for impeding communications with the SEC, Norberg explained. The SEC expects confidentiality agreements to have carve-outs for government reporting.

DOJ and FinCEN Programs

In 2024, the DOJ’s Fraud Section announced a whistleblower rewards program. It is intended to fill gaps in other programs, according to Norberg. Consequently, if a whistleblower is entitled to an award from the SEC, Commodity Futures Trading Commission (CFTC) or Financial Crimes Enforcement Network (FinCEN), the whistleblower will not be eligible for a DOJ award. The DOJ program was targeting Foreign Corrupt Practices Act (FCPA) violations and certain money-laundering schemes. To date, the DOJ has probably received about 200 tips.

FinCEN also has a whistleblower program that mirrors the SEC’s, added Norberg. Although it does not yet have final rules in place, it is receiving tips and can still pay awards. It is important for compliance professionals, board members and executives to be aware of whistleblower regimes “because if an employee doesn’t feel heard internally, they can easily turn around and report to these programs externally,” she said.

See “What to Know (and Do) About DOJ’s Efforts to Identify and Prosecute Cybersecurity Fraud Under the False Claims Act” (Oct. 30, 2024).

Tips for 2025

Use Data Proactively

“Looking backwards at your data is very helpful, but it is really not sufficient,” said Olson. Organizations should take a more proactive stance, identify new vectors for growing risks and identify emerging reporting trends.

Organizations should pay attention to increases in same-day Report closures, advised Penman. Compliance must stay on top of cases, even when they are referred to other areas. Additionally, organizations should not lose sight of workplace culture indicators tied to the workplace conduct risk category.

Whistleblowers, DEI and Retaliation Matters

“Whistleblowers are not going away,” cautioned Norberg. The SEC and CFTC programs were put in place by Congress and are unlikely to disappear despite political upheaval. Moreover, regardless of politics, few people oppose efforts to report harm to individual investors or pensions. Although all new administrations have their own priorities, the whistleblower laws remain on the books.

Although FCPA enforcement may be scaled back by the Trump administration, organizations should not be complacent, Norberg warned. If organizations fail to maintain robust compliance programs, conduct internal investigations and remediate issues, they could be in the hot seat four years from now under a different administration. They should enable employees to report without fear of retaliation and investigate and take seriously tips regarding retaliation.

Finally, given the new administration’s hostility to diversity, equity and inclusion (DEI) initiatives, organizations should think about how they will respond to DEI-related reports, advised Norberg.

Share Data With Employees

“I do think it is important to share some statistics with employees,” Penman said, so that employees know that the company has received complaints and is doing something about them. For example, a company might provide information on substantiation rates and state that it has taken appropriate action up to and including termination of employment on such matters. How much detail to share depends on an organization’s own circumstances.

Clifford Chance has welcomed Michael Povman to its global tech group as counsel in New York. He is the former managing director and associate GC of the Bank of New York Mellon (BNY).

Povman’s practice focuses on tech-related initiatives such as AI governance, intellectual property and data privacy, as well as on commercial and tech transactions involving banks, including structuring, negotiating and managing transactions. He also advises on regulatory compliance across matters related to technology, information security, privacy, payments and vendor risk management, including developing corporate- and business-level policies, and meeting with various regulatory agencies.

Prior to joining Clifford Chance, Povman spent more than three decades building and leading BNY’s commercial law group. During his tenure, he established a multi-disciplinary Third-Party Governance Program that improved vendor risk management processes, ensuring compliance with global regulations and providing executive management with actionable insights into amount and nature of risk within supply chain.

For insights from Clifford Chance, see “U.K. Equifax Fine Calls for Stricter Parent-Subsidiary Data-Sharing Processes” (Oct. 15, 2023); and “Cybersecurity Compliance Lessons From NYDFS’ Carnival Action” (Aug. 3, 2022).